ComboFix 09-03-30.02 — Administrator 2009-03-31 17:08:47.5 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.2047.1660 [GMT 7:00]
Running from: c:documents and settingsAdministratorРабочий столComboFix.exe
FW: Outpost Firewall Pro *enabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.
2009-03-29 18:42 . 2009-03-29 18:42 d
c:windowssystem32Kaspersky Lab
2009-03-29 18:42 . 2009-03-29 18:42 d
c:documents and settingsAll UsersApplication DataKaspersky Lab
2009-03-25 14:43 . 2009-03-25 14:48 d
c:program filesmIRC
2009-03-25 14:33 . 2009-03-25 14:37 d
c:program filesDenS-mIRC
2009-03-25 13:56 . 2009-03-25 13:56 361,600 —a
c:windowssystem32driversTCPIP.SYS.ORIGINAL
2009-03-25 00:16 . 2001-09-19 22:47 765,952 —a
c:windowssystemcrlds3d.dll
2009-03-25 00:16 . 2006-03-18 03:18 392,960 —a
c:windowssystem32driverssenfilt.sys
2009-03-25 00:16 . 2008-07-10 19:22 334,336 —a
c:windowssystem32driversADIHdAud.sys
2009-03-25 00:16 . 2007-10-18 00:37 28,672 —a
c:windowssystem32PostProc.dll
2009-03-24 22:03 . 2009-03-24 22:03 d
c:program filesInterpretatio
2009-03-23 15:22 . 2009-03-23 15:23 d
c:documents and settingsAll UsersApplication DataBarbie Fashion Show
2009-03-23 13:42 . 2009-03-25 20:05 d
c:program filesAlawar.ru
2009-03-23 13:25 . 2009-03-23 13:25 d
c:program filesVirtualDubMod
2009-03-22 17:00 . 2009-03-22 17:00 d
c:documents and settingsAdministratorApplication DataGaijin Ent
2009-03-20 19:02 . 2009-03-20 22:52 d
c:documents and settingsAll UsersApplication DataSpybot — Search & Destroy
2009-03-20 16:27 . 2009-03-20 16:27 d
c:documents and settingsAdministratorApplication DataBloom
2009-03-14 16:05 . 2009-03-30 12:05 d
c:windowssystem32Filt
2009-03-14 16:05 . 2009-03-14 16:05 d
c:program filesAgnitum
2009-03-14 16:05 . 2009-02-26 11:27 704,384 —a
c:windowssystem32driversSandBox.sys
2009-03-14 16:05 . 2009-02-10 17:15 257,432 —a
c:windowssystem32driversafwcore.sys
2009-03-14 16:05 . 2008-06-20 10:45 30,864 —a
c:windowssystem32driversafw.sys
2009-03-14 16:05 . 2009-01-16 12:14 49 —a
c:windowstransp.gif
2009-03-14 16:04 . 2009-03-14 16:04 d
c:documents and settingsAll UsersApplication DataAgnitum
2009-03-14 15:53 . 2009-03-14 15:53 d
c:program filesYandex
2009-03-11 19:28 . 2009-03-11 19:28 d
c:documents and settingsAll UsersApplication DataMalwarebytes
2009-03-11 19:28 . 2009-03-11 19:28 d
c:documents and settingsAdministratorApplication DataMalwarebytes
2009-03-09 20:42 . 2004-09-06 11:25 d
c:program filesDjvuReader
2009-03-09 19:21 . 2009-03-09 19:21 d
c:documents and settingsAdministratorApplication DataTurbogames.ru
2009-03-09 17:42 . 2009-03-09 17:50 d
c:documents and settingsAdministratorApplication DataDAEMON Tools Pro
2009-03-09 17:42 . 2009-03-09 17:42 d
c:documents and settingsAdministratorApplication DataDAEMON Tools
2009-03-09 17:41 . 2009-03-09 17:41 d
c:documents and settingsAll UsersApplication DataDAEMON Tools Lite
2009-03-09 17:40 . 2009-03-14 15:53 d
c:documents and settingsAdministratorApplication DataYandex
2009-03-09 17:39 . 2009-03-09 17:40 d
c:program filesDAEMON Tools Lite
2009-03-09 17:39 . 2009-03-09 17:57 d
c:documents and settingsAdministratorApplication DataDAEMON Tools Lite
2009-03-07 17:15 . 2009-03-07 20:54 d
c:documents and settingsAll UsersApplication DataDoctor Web
2009-03-01 23:46 . 2009-03-01 23:46 d
c:windowssystem32LogFiles
2009-03-01 23:46 . 2009-03-01 23:46 d
c:windowssystem32driversUMDF
2009-03-01 23:46 . 2009-03-01 23:46 d
c:program filesWindows Media Connect 2
2009-03-01 14:01 . 2008-10-30 20:24 d
c:program filesPlugins
2009-03-01 14:01 . 2008-10-30 20:52 d
c:program filesLangs
2009-03-01 14:01 . 2008-10-30 20:24 d
c:program filesHelp
2009-02-28 20:12 . 2000-07-10 12:04 155,648 —a
c:windowsRusUinst.exe
2009-02-28 20:12 . 1998-06-25 16:13 28,160 —a
c:windowsUnSetup.exe
2009-02-28 19:40 . 1998-09-02 15:02 194,320 —a
c:windowssystem32qcut.dll
2009-02-28 19:40 . 1998-08-27 11:51 182,032 —a
c:windowssystem32dxtmsft3.dll
2009-02-28 19:40 . 1998-08-20 18:02 140,800 —a
c:windowssystem32tm20dec.ax
2009-02-28 19:40 . 1998-09-02 15:28 63,488 —a
c:windowssystem32unam4ie.exe
2009-02-28 19:40 . 1998-09-02 15:28 38,160 —a
c:windowssystem32LMRTREND.dll
2009-02-28 19:40 . 1998-08-17 16:21 11,776 —a
c:windowssystem32mciqtz.drv
2009-02-28 19:40 . 1998-08-17 16:21 10,240 —a
c:windowssystem32vidx16.dll
2009-02-28 19:40 . 1998-08-17 16:21 5,672 —a
c:windowssystem32quartz.vxd
2009-02-28 19:40 . 2009-02-28 19:40 4,608 —a
c:windowssystem32w95inf32.dll
2009-02-28 19:40 . 2009-02-28 19:40 2,272 —a
c:windowssystem32w95inf16.dll
2009-02-28 19:38 . 1998-01-19 18:39 27,600 -ra
c:windowsisk3ro.exe
2009-02-28 19:38 . 2009-02-28 19:38 306 —a
c:windowsQTW.INI
2009-02-28 19:37 . 2009-02-28 19:38 30 —a
c:windowsRESULT.QTW
2009-02-28 19:34 . 2009-02-28 19:37 63 —a
c:windowsMaris.ini
2009-02-28 19:33 . 2009-02-28 19:33 d
c:documents and settingsAdministratorWINDOWS
2009-02-28 19:33 . 1996-11-06 12:58 302,592 —a
c:windowsunin0419.exe
2009-02-28 19:19 . 2009-02-28 19:20 d
c:program filesCommon FilesAdobe
2009-02-28 19:00 . 1998-10-02 20:00 327,168 —a
c:windowsIsUninst.exe
2009-02-26 23:57 . 2008-04-14 01:17 25,856 —a
c:windowssystem32driversusbprint.sys
2009-02-26 23:57 . 2008-04-14 01:17 25,856 —a—c— c:windowssystem32dllcacheusbprint.sys
2009-02-26 19:48 . 2009-02-26 19:48 d
c:documents and settingsAdministratorApplication DatamIRC
2009-02-21 19:01 . 2009-02-21 19:01 d-a
c:program filesCoolReader 3.0.8
2009-02-21 18:56 . 2009-02-21 18:57 d
c:documents and settingsAdministratorApplication Datacr3
2009-02-20 21:07 . 2001-10-19 21:33 12,160 —a
c:windowssystem32driversmouhid.sys
2009-02-20 21:07 . 2001-10-19 21:33 12,160 —a—c— c:windowssystem32dllcachemouhid.sys
2009-02-20 21:06 . 2008-04-14 01:15 10,368 —a
c:windowssystem32drivershidusb.sys
2009-02-20 21:06 . 2008-04-14 01:15 10,368 —a—c— c:windowssystem32dllcachehidusb.sys
2009-02-17 23:54 . 2009-02-17 23:54 d
c:program filesNative Instruments
2009-02-17 23:54 . 2009-02-17 23:56 d
c:program filesFinale GPO 2.0
2009-02-17 23:54 . 2006-05-19 17:54 393,216 —a
c:windowssystem32NI_IRC_1_1.dll
2009-02-17 23:54 . 2005-04-04 19:00 393,216 —a
c:windowssystem32NI_IRC_1_0_3.dll
2009-02-17 23:54 . 2006-07-11 17:16 61,440 —a
c:windowssystem32NI_DFD_1_4.dll
2009-02-17 23:52 . 2009-03-30 12:04 d
c:program filesFinale 2007
2009-02-17 23:35 . 2009-02-17 23:53 d
C:Psfonts
2009-02-17 23:34 . 2009-03-14 15:23 d
c:program filesFinale 2006
2009-02-17 23:34 . 2009-02-17 23:34 573 —a
c:windowswiniini.fin
2009-02-16 23:57 . 2009-02-16 23:57 d
c:program filesSolo9
2009-02-16 23:57 . 2009-02-16 23:57 d
c:documents and settingsAll UsersApplication DataSolo9
2009-02-15 18:37 . 2009-02-15 18:37 d
c:program filesuTorrent
2009-02-14 23:16 . 2009-03-02 22:19 208 —a
c:windowsUpdateClientUI.INI
2009-02-13 16:01 . 2009-03-31 17:07 d
c:documents and settingsAdministratorApplication DatauTorrent
2009-02-12 20:34 . 2009-02-12 20:34 1,172 —a
c:windowsmozver.dat
2009-02-12 18:40 . 2009-02-12 18:40 0 —a
c:windowsnsreg.dat
2009-02-12 18:24 . 2009-02-12 18:24 d
c:program files2gis
2009-02-12 18:05 . 2009-02-12 18:05 d
c:documents and settingsAdministratorApplication DataGrym
2009-02-12 17:53 . 2009-02-12 18:09 d
c:documents and settingsAll UsersApplication Data2GIS
2009-02-12 17:30 . 2009-02-12 17:30 d
c:program filesK-Soft
2009-02-10 18:49 . 2008-12-21 06:03 6,066,688
c— c:windowssystem32dllcacheieframe.dll
2009-02-10 18:49 . 2007-04-17 16:32 2,455,488
c— c:windowssystem32dllcacheieapfltr.dat
2009-02-10 18:49 . 2007-03-08 12:12 1,060,864
c— c:windowssystem32dllcacheieframe.dll.mui
2009-02-10 18:49 . 2008-12-21 06:03 459,264
c— c:windowssystem32dllcachemsfeeds.dll
2009-02-10 18:49 . 2008-12-21 06:03 383,488
c— c:windowssystem32dllcacheieapfltr.dll
2009-02-10 18:49 . 2008-12-21 06:03 267,776
c— c:windowssystem32dllcacheiertutil.dll
2009-02-10 18:49 . 2008-12-21 06:03 63,488
c— c:windowssystem32dllcacheicardie.dll
2009-02-10 18:49 . 2008-12-21 06:03 52,224
c— c:windowssystem32dllcachemsfeedsbs.dll
2009-02-10 18:49 . 2008-12-19 16:10 13,824
c— c:windowssystem32dllcacheieudinit.exe
2009-02-08 01:52 . 2009-02-08 01:52 d
c:program filesMSXML 4.0
2009-02-07 22:17 . 2002-01-05 04:40 487,424 —a
c:windowssystem32Msvcp70.dll
2009-02-07 22:17 . 2004-08-18 13:34 442,368 —a
c:windowssystem32vp6vfw.dll
2009-02-07 22:17 . 2002-01-05 07:37 344,064 —a
c:windowssystem32Msvcr70.dll
2009-02-07 22:17 . 2004-08-06 14:49 265,785 —a
c:windowssystem32pixomatic.dll
2009-02-07 22:17 . 2004-01-06 11:43 188,416 —a
c:windowssystem32eax.dll
2009-02-07 22:17 . 2004-10-18 15:04 161,280 —a
c:windowssystem32fmod.dll
2009-02-07 22:17 . 2002-02-04 03:43 82,432 —a
c:windowssystem32msxml4r.dll
2009-02-07 22:17 . 2002-01-05 04:38 54,784 —a
c:windowssystem32msvci70.dll
2009-02-07 22:17 . 2002-02-01 08:00 22,016 —a
c:windowssystem32borlndmm.dll
2009-02-07 17:21 . 2008-06-15 00:35 272,512
c:windowssystem32driversbthport.sys
2009-02-07 17:21 . 2008-06-15 00:35 272,512
c— c:windowssystem32dllcachebthport.sys
2009-02-07 17:18 . 2009-02-07 17:20 d
c:windowssystem32NtmsData
2009-02-01 02:17 . 2008-08-14 20:26 2,190,976
c— c:windowssystem32dllcachentoskrnl.exe
2009-02-01 02:17 . 2008-08-14 20:26 2,147,328
c— c:windowssystem32dllcachentkrnlmp.exe
2009-02-01 02:17 . 2008-08-14 20:26 2,067,840
c— c:windowssystem32dllcachentkrnlpa.exe
2009-02-01 02:17 . 2008-08-14 20:26 2,025,984
c— c:windowssystem32dllcachentkrpamp.exe
2009-02-01 02:10 . 2008-10-24 18:21 455,296
c— c:windowssystem32dllcachemrxsmb.sys
2009-02-01 01:51 . 2009-03-11 18:16 d—h
c:windows$hf_mig$
2009-02-01 01:51 . 2007-07-27 10:41 26,488 —a
c:windowssystem32spupdsvc.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 14:43
d
w c:documents and settingsAdministratorApplication DataAIMP
2009-03-30 04:51
d
w c:program filesNero
2009-03-25 06:56 361,600 —-a-w c:windowssystem32driversTCPIP.SYS
2009-03-20 09:22
d
w c:documents and settingsAll UsersApplication DataAlawarWrapper
2009-03-09 12:28
d
w c:documents and settingsAll UsersApplication DataPlayFirst
2009-03-09 12:28
d
w c:documents and settingsAdministratorApplication DataPlayFirst
2009-03-02 09:45
d—h—w c:program filesInstallShield Installation Information
2009-02-10 11:50
d
w c:program filesCommon FilesReGet Shared
2009-02-09 14:07 1,846,912 —-a-w c:windowssystem32win32k.sys
2009-02-08 12:26
d
w c:documents and settingsAdministratorApplication DataReGet Software
2009-01-31 11:43 14,336 —-a-w c:windowssystem32svchost.exe
2009-01-18 12:04 632 —-a-w C:settings.dat
2008-12-23 15:58 453,152 —-a-w c:windowssystem32NVUNINST.EXE
2008-12-20 23:03 826,368 —-a-w c:windowssystem32wininet.dll
2008-12-05 06:57 144,896 —-a-w c:windowssystem32schannel.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.
Sigcheck
2008-06-20 18:59 361600 ad978a1b783b5719720cff204b666c8e c:windows$hf_mig$KB951748SP3QFEtcpip.sys
2008-04-15 19:00 361344 93ea8d04ec73a85db02eb8805988f733 c:windows$NtUninstallKB951748$tcpip.sys
2009-03-25 13:56 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:windowssystem32dllcacheTCPIP.SYS
2009-03-25 13:56 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:windowssystem32driversTCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-15 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2008-12-29 687560]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-12-26 86016]
«2gis update client UI»=»c:program files2gisUpdateClientWin32UpdateClientUI.exe» [2008-09-17 4055040]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-12 34672]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewall Profeedback.exe» [2009-03-02 433480]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2008-04-15 1040384]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-12-26 13680640]
«nwiz»=»nwiz.exe» [2008-12-26 c:windowssystem32nwiz.exe]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«c:\WINDOWS\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\sessmgr.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
R1 SandBox;SandBox;c:windowssystem32driversSandBox.sys [2009-03-14 704384]
R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [2008-09-17 1134592]
R2 acssrv;Agnitum Client Security Service;c:progra~1AgnitumOUTPOS~1acs.exe [2009-03-14 1267016]
R3 afw;Agnitum firewall driver;c:windowssystem32driversafw.sys [2009-03-14 30864]
R3 afwcore;afwcore;c:windowssystem32driversafwcore.sys [2009-03-14 257432]
R3 ASWFilt;ASWFilt;c:windowssystem32FiltASWFilt.dll [2009-03-14 33888]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:windowssystem32driversatl01_xp.sys [2009-01-05 35840]
.
Contents of the ‘Scheduled Tasks’ folder
2009-03-30 c:windowsTasks{DB41A4E8-349D-406A-AAA5-9B1F0B64152B}_HOME_Administrator.job
— c:windowssystem32mobsync.exe [2008-04-15 19:00]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.tomtel.ru/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Проверить ссылку Dr.Web — http://www.drweb.com/online/drweb-online-ru.html
Trusted Zone: vtomske.rutorrents
Handler: solores — {8FA1F4E9-444B-48BF-98CD-B8ECA88E6BA5} — c:progra~1Solo9SoloRes.dll
FF — ProfilePath — c:documents and settingsAdministratorApplication DataMozillaFirefoxProfileslbvkc7xv.default
FF — prefs.js: browser.search.selectedEngine — Яндекс
FF — prefs.js: browser.startup.homepage —
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 17:09:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-2000478354-1292428093-1417001333-1003SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{897B7768-C70E-C0DE-BBAB-739DB4D9838D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
«jacjbhbapdocbnljnjaf»=hex:62,61,67,70,00,00
«jacjbhbapdocbnljnjme»=hex:62,61,64,70,00,00
«iaciglnpcmbbkjgenh»=hex:6b,61,62,70,6c,66,63,62,67,6f,6e,69,64,67,68,67,62,70,
62,6f,6a,6a,00,00
«hagjfjjilhmoipdj»=hex:61,62,62,69,63,68,61,68,68,6b,63,70,6f,6a,6a,61,67,6f,
68,69,6c,6f,6f,61,69,61,63,6f,63,61,64,6a,66,6f,00,00
«jahjchdopolfihckdggn»=hex:64,62,6e,69,64,69,64,64,70,63,6e,65,6b,6c,63,69,65,
6b,6a,6b,67,65,66,64,65,6c,62,61,62,6d,6f,6b,6e,68,61,63,6a,6b,6f,65,00,00
«haeipjdhjomfipen»=hex:6b,61,62,70,6c,66,63,62,67,6f,6e,69,64,67,6d,67,6f,6f,
61,62,63,6c,00,00
.
Completion time: 2009-03-31 17:11:28
ComboFix-quarantined-files.txt 2009-03-31 10:11:26
ComboFix2.txt 2009-03-25 18:42:41
Pre-Run: 34 410 795 008 байт свободно
Post-Run: 34,404,618,240 байт свободно
236 — E O F — 2009-03-14 08:20:38
