ComboFix 09-11-28.01 — Светулька 29.11.2009 0:48:27.1.2 — x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1251.7.1049.18.3069.1673 [GMT 3:00]
Running from: C:UsersСветулькаDesktopComboFix.exe
AV: Антивирусная система Eset NOD32 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:Program FilesMail.RuAgentMradllnewmrasearch.dll
C:ProgramDataMicrosoftNetworkDownloaderqmgr0.dat
C:ProgramDataMicrosoftNetworkDownloaderqmgr1.dat
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-28 22:06:12 . 2009-11-28 22:06:12 0 d
w- C:UsersDefaultAppDataLocaltemp
2009-11-27 00:01:23 . 2009-10-29 09:41:23 2048 —-a-w- C:Windowssystem32tzres.dll
2009-11-25 20:35:47 . 2009-08-10 11:01:00 1399296 —-a-w- C:Windowssystem32msxml6.dll
2009-11-25 20:35:46 . 2009-08-10 11:00:37 1257472 —-a-w- C:Windowssystem32msxml3.dll
2009-11-16 20:10:14 . 2009-11-16 20:10:14 0 d
w- C:_OTM
2009-11-16 14:13:30 . 2009-11-16 14:14:59 0 d
w- C:UsersСветаAppDataRoamingBSplayer
2009-11-14 19:47:03 . 2009-11-14 19:47:03 0 d
w- C:UsersСветаAppDataRoamingMalwarebytes
2009-11-13 20:36:35 . 2009-11-16 20:20:22 4096 d
w- C:Program Filestrend micro
2009-11-13 20:36:35 . 2009-11-13 20:37:01 0 d
w- C:rsit
2009-11-13 18:25:56 . 2009-11-13 18:25:56 0 d
w- C:UsersСветулькаAppDataRoamingMalwarebytes
2009-11-13 18:25:52 . 2009-09-10 11:54:06 38224 —-a-w- C:Windowssystem32driversmbamswissarmy.sys
2009-11-13 18:25:50 . 2009-11-13 18:25:50 0 d
w- C:ProgramDataMalwarebytes
2009-11-13 18:25:50 . 2009-09-10 11:53:50 19160 —-a-w- C:Windowssystem32driversmbam.sys
2009-11-13 18:25:49 . 2009-11-13 18:25:55 4096 d
w- C:Program FilesMalwarebytes’ Anti-Malware
2009-11-11 11:39:44 . 2009-08-14 13:53:16 2035712 —-a-w- C:Windowssystem32win32k.sys
2009-11-11 11:29:39 . 2009-08-10 13:05:35 351232 —-a-w- C:Windowssystem32WSDApi.dll
2009-10-31 00:03:53 . 2009-10-31 00:03:53 0 d
w- C:UsersDefaultAppDataLocalMicrosoft Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 22:06:53 . 2009-05-18 17:23:48 1835008 —sha-w- C:UsersСветулькаNTUSER.DAT
2009-11-28 22:06:11 . 2009-06-27 11:24:09 1835008 —sha-w- C:UsersСветаNTUSER.DAT
2009-11-27 00:23:57 . 2009-11-16 20:20:28 4838 —-a-w- C:Windowssystem32PerfStringBackup.TMP
2009-11-27 00:17:47 . 2009-10-01 17:56:54 12 —-a-w- C:Windowsbthservsdp.dat
2009-11-16 14:14:59 . 2009-11-16 14:13:30 0 d
w- C:UsersСветаAppDataRoamingBSplayer
2009-11-14 19:47:03 . 2009-11-14 19:47:03 0 d
w- C:UsersСветаAppDataRoamingMalwarebytes
2009-11-14 14:25:31 . 2009-06-18 11:08:16 8192 d
w- C:Program FilesESET
2009-11-13 18:25:56 . 2009-11-13 18:25:56 0 d
w- C:UsersСветулькаAppDataRoamingMalwarebytes
2009-11-12 00:06:04 . 2008-05-09 06:36:23 8192 d
w- C:ProgramDataMicrosoft Help
2009-11-07 08:46:07 . 2009-07-04 11:38:05 0 d
w- C:UsersСветаAppDataRoamingToshiba
2009-10-30 16:53:42 . 2009-07-05 17:42:46 4096 d
w- C:Program FilesArtMoney
2009-10-27 05:05:55 . 2009-06-27 11:24:09 4096 d-s—w- C:UsersСветаAppDataRoamingMicrosoft
2009-10-11 13:46:00 . 2009-10-11 13:45:16 0 d
w- C:UsersСветулькаAppDataRoamingYandex
2009-10-11 13:45:17 . 2009-10-11 13:45:17 0 d
w- C:Program FilesYandex
2009-10-06 20:25:11 . 2009-10-06 20:25:46 411368 —-a-w- C:Windowssystem32deploytk.dll
2009-10-06 20:25:02 . 2008-04-23 10:07:09 4096 d
w- C:Program FilesJava
2009-10-01 18:07:00 . 2009-05-18 17:23:48 4096 d-s—w- C:UsersСветулькаAppDataRoamingMicrosoft
2009-10-01 18:06:45 . 2009-10-01 18:06:45 0 —ha-w- C:Windowssystem32driversMsft_User_WpdRapi2_01_00_00.Wdf
2009-09-14 09:44:57 . 2009-10-16 03:30:23 144896 —-a-w- C:Windowssystem32driverssrv2.sys
2009-09-10 17:30:12 . 2009-10-16 03:28:08 213504 —-a-w- C:Windowssystem32msv1_0.dll
2009-09-04 12:24:34 . 2009-10-16 03:26:55 61440 —-a-w- C:Windowssystem32msasn1.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}»= «C:Program FilesRadio_WtbRadi.dll» [2009-05-20 14:05:00 2085400]
[HKEY_CLASSES_ROOTclsid{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}]
[HKEY_LOCAL_MACHINE~Browser Helper Objects{9B5FB65F-631E-4564-ABF2-AD71845B28E0}]
2009-08-05 16:07:48 215040 —-a-w- C:Program FilesGet-Styles 2.0iejsloader.dll
[HKEY_LOCAL_MACHINE~Browser Helper Objects{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}]
2009-05-20 14:05:00 2085400 —-a-w- C:Program FilesRadio_WtbRadi.dll
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}»= «C:Program FilesRadio_WtbRadi.dll» [2009-05-20 14:05:00 2085400]
«{5BCDC9E9-A980-4B53-B2E8-60CFF484DA61}»= «C:Program FilesGet-Styles 2.0ietoolbar.dll» [2009-07-28 08:30:26 122368]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «C:Program FilesYandexYandexBarIEyndbar.dll» [2009-07-24 10:47:20 5586208]
[HKEY_CLASSES_ROOTclsid{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}]
[HKEY_CLASSES_ROOTclsid{5bcdc9e9-a980-4b53-b2e8-60cff484da61}]
[HKEY_CLASSES_ROOTScriptedStar.Bar.2]
[HKEY_CLASSES_ROOTTypeLib{B124F09B-1B6C-431D-BE2D-DBA6864A8897}]
[HKEY_CLASSES_ROOTScriptedStar.Bar]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{B4EFB02B-CD4A-44B9-B5D9-AA486CDFFAB6}»= «C:Program FilesRadio_WtbRadi.dll» [2009-05-20 14:05:00 2085400]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «C:Program FilesYandexYandexBarIEyndbar.dll» [2009-07-24 10:47:20 5586208]
[HKEY_CLASSES_ROOTclsid{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«Sidebar»=»C:Program FilesWindows Sidebarsidebar.exe» [2008-01-21 02:23:29 1233920]
«TOSCDSPD»=»C:Program FilesTOSHIBATOSCDSPDTOSCDSPD.exe» [2008-01-29 12:00:40 430080]
«SpriteService»=»C:Program FilesSprite SoftwareSprite BackupSpriteService.exe» [2006-08-18 11:19:08 544768]
«WMPNSCFG»=»C:Program FilesWindows Media PlayerWMPNSCFG.exe» [2008-01-21 02:25:33 202240]
«WindowsWelcomeCenter»=»oobefldr.dll» — C:WindowsSystem32oobefldr.dll [2008-01-21 02:23:39 2153472]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Windows Defender»=»C:Program FilesWindows DefenderMSASCui.exe» [2008-01-21 02:23:32 1008184]
«SunJavaUpdateSched»=»C:Program FilesJavajre6binjusched.exe» [2009-10-06 20:25:12 149280]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-12-06 17:12:44 1029416]
«ITSecMng»=»C:Program FilesTOSHIBABluetooth Toshiba StackItSecMng.exe» [2007-09-28 12:03:46 75136]
«mcagent_exe»=»C:Program FilesMcAfee.comAgentmcagent.exe» [2009-03-25 13:25:20 645328]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2007-05-11 09:06:32 40048]
«topi»=»C:Program FilesTOSHIBAToshiba Online Product Informationtopi.exe» [2007-07-10 05:24:10 581632]
«Picasa Media Detector»=»C:Program FilesPicasa2PicasaMediaDetector.exe» [2006-12-06 01:44:45 366400]
«Google Desktop Search»=»C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe» [2008-04-23 10:55:42 1836544]
«StartCCC»=»C:Program FilesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2006-11-10 08:35:24 90112]
«Camera Assistant Software»=»C:Program FilesCamera Assistant Software for Toshibatraybar.exe» [2007-10-25 13:41:18 413696]
«TPwrMain»=»C:Program FilesTOSHIBAPower SaverTPwrMain.EXE» [2008-01-17 12:27:52 431456]
«HSON»=»C:Program FilesTOSHIBATBSHSON.exe» [2007-10-31 19:01:12 54608]
«SmoothView»=»C:Program FilesToshibaSmoothViewSmoothView.exe» [2008-01-25 07:22:14 509816]
«00TCrdMain»=»C:Program FilesTOSHIBAFlashCardsTCrdMain.exe» [2008-01-22 10:25:26 712704]
«Toshiba Registration»=»C:Program FilesToshibaRegistrationToshibaRegistration.exe» [2007-05-04 10:05:08 571024]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2009-05-25 18:19:19 6210744]
«nod32kui»=»C:Program FilesEsetnod32kui.exe» [2009-06-18 11:08:19 949376]
«WPCUMI»=»C:Windowssystem32WpcUmi.exe» [2006-11-02 12:35:35 176128]
«GrooveMonitor»=»C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe» [2007-08-24 04:00:48 33648]
«actx.exe»=»C:Program FilesMegaFonMultiFonactx.exe» [2009-05-27 13:16:06 5458432]
«Windows Mobile Device Center»=»C:WindowsWindowsMobilewmdc.exe» [2007-05-31 05:21:28 648072]
«Malwarebytes Anti-Malware (reboot)»=»C:Program FilesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 11:53:56 1312080]
«RtHDVCpl»=»RtHDVCpl.exe» — C:WindowsRtHDVCpl.exe [2008-01-29 17:51:52 4911104]
«NDSTray.exe»=»NDSTray.exe» [BU]
C:Users‘ўҐвг«мЄ AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
TRDCReminder.lnk — C:Program FilesToshibaTRDCReminderTRDCReminder.exe [2008-3-5 393216]
C:Users‘ўҐв AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
‚л१Є нЄа Ё Їа®Ја ¬¬ § ЇгбЄ ¤«п OneNote 2007.lnk — C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE [2007-12-7 101440]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«EnableUIADesktopToggle»= 0 (0x0)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
«AppInit_DLLs»=C:PROGRA~1GoogleGOOGLE~3GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«aux1″=wdmaud.drv
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalmcmscsvc]
@=»»
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMCODS]
@=»»
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@=»Service»
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeAntiSpyware]
«DisableMonitoring»=dword:00000001
R1 nod32drv;nod32drv;C:WindowsSystem32driversnod32drv.sys [18.06.2009 14:09:17 15424]
R2 ConfigFree Service;ConfigFree Service;C:Program FilesToshibaConfigFreeCFSvcs.exe [25.12.2007 12:07:14 40960]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:Program FilesToshibaSMARTLogServiceTosIPCSrv.exe [03.12.2007 16:03:52 126976]
R3 FwLnk;FwLnk Driver;C:WindowsSystem32driversFwLnk.sys [23.04.2008 13:37:10 7168]
S3 hwusbfake;Huawei DataCard USB Fake;C:WindowsSystem32driversewusbfake.sys [04.09.2009 23:02:14 103040]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the ‘Scheduled Tasks’ folder
2009-07-14 C:WindowsTasksMcDefragTask.job
— c:PROGRA~1mcafeemqcQcConsol.exe [2009-05-24 13:49:09 . 2009-01-09 06:53:12]
2009-09-30 C:WindowsTasksMcQcTask.job
— c:PROGRA~1mcafeemqcQcConsol.exe [2009-05-24 13:49:09 . 2009-01-09 06:53:12]
2009-11-28 C:WindowsTasksUser_Feed_Synchronization-{A16FFCB4-7386-461B-A288-7584F6B4358A}.job
— C:Windowssystem32msfeedssync.exe [2009-10-16 03:27:27 . 2009-08-27 03:41:45]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/?clid=123048
IE: &Экспорт в Microsoft Excel — C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
IE: Поиск@Mail.Ru — c:program filesmail.rusputnikMailRuSputnik.dll/282
IE: Словари@Mail.Ru — c:program filesmail.rusputnikMailRuSputnik.dll/283
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} — http://www.webtip.ch/cgi-bin/toshiba/tracker_url2.pl?RU
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} — http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
Handler: base64 — {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} — C:Program FilesGet-Styles 2.0ietdataprotocol.dll
Handler: chrome — {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} — C:Program FilesGet-Styles 2.0ietdataprotocol.dll
FF — ProfilePath — C:UsersСветулькаAppDataRoamingMozillaFirefoxProfilesaw4m0u30.default
FF — prefs.js: browser.startup.homepage — hxxp://yandex.ru/?clid=123049
FF — prefs.js: keyword.URL — hxxp://yandex.ru/yandsearch?clid=123045&text=
FF — component: C:UsersСветулькаAppDataRoamingMozillaFirefoxProfilesaw4m0u30.defaultextensions{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}componentsFFExternalAlert.dll
FF — plugin: C:Program FilesVistaCodecPackrmbrowserpluginsnppl3260.dll
FF — plugin: C:Program FilesVistaCodecPackrmbrowserpluginsnprpjplug.dll
FF — HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} — C:WindowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension
—- FIREFOX POLICIES —-
C:Program FilesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl3.rsa_seed_sha», true);
.
— — — — ORPHANS REMOVED — — — —
AddRemove-Activation Assistant for the 2007 Microsoft Office suites — C:ProgramData{174892B1-CBE7-44F5-86FF-AB555EFD73A3}Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-TCPMP — C:WindowsWindowsMobileTCPMPUninstall.exe TCPMP
