ComboFix 09-05-14 05 15 05 2009 15 18 color red FAT32 color x86 Micros

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
ComboFix 09-05-14.05 - Я 15.05.2009 15:18.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.2047.1656 [GMT 4:00]
Running from: c:\documents and settings\Я\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Я\Рабочий стол\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\SiteAccess.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\SiteAccess.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.
2009-05-15 10:29 . 2008-10-16 10:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-14 19:25 . 2009-05-14 19:25 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\Identities
2009-05-14 18:49 . 2009-05-14 18:49 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\ESET
2009-05-14 18:10 . 2009-05-14 18:10 -------- d-----w c:\program files\ESET
2009-05-13 17:06 . 2009-05-13 17:06 -------- d-----w c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-13 15:56 . 2009-05-13 15:56 -------- d-----w c:\program files\SiteAccess
2009-05-13 14:53 . 2009-05-13 14:53 -------- d-----w c:\documents and settings\Я\Application Data\Yandex
2009-05-13 14:53 . 2009-05-13 14:53 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\Mozilla
2009-05-13 14:31 . 2009-05-13 14:31 -------- d-----w c:\documents and settings\All Users\Application Data\Macrovision
2009-05-13 14:31 . 2009-05-13 14:31 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-05-13 14:31 . 2009-05-13 14:31 -------- d-----w c:\program files\Common Files\Adobe
2009-05-13 14:23 . 2009-05-13 14:23 -------- d-----w c:\program files\RadioClicker LITE
2009-05-07 20:46 . 2009-05-07 20:46 -------- d-----w c:\documents and settings\Я\Application Data\ROALDevelopment
2009-05-07 20:12 . 2009-05-07 20:13 -------- d-----w c:\documents and settings\Я\Application Data\Sonic Foundry
2009-05-07 20:12 . 2009-05-07 20:12 -------- d-----w c:\program files\Sonic Foundry
2009-05-07 20:12 . 2001-10-19 10:40 665424 ----a-w c:\windows\system32\wmv8dmoe.dll
2009-05-07 20:12 . 2001-10-19 10:40 438608 ----a-w c:\windows\system32\wmv8dmod.dll
2009-05-07 20:12 . 2001-10-19 10:39 572752 ----a-w c:\windows\system32\wmvdmoe.dll
2009-05-07 20:12 . 2001-10-19 10:40 1683792 ----a-w c:\windows\system32\wmvcore2.dll
2009-05-07 20:09 . 2003-10-01 13:44 31744 ----a-w c:\windows\system32\drivers\IcdSX.sys
2009-05-07 20:09 . 2009-05-07 20:09 -------- d-----w c:\program files\SONY
2009-05-07 20:08 . 2009-05-07 20:08 -------- d-----w c:\program files\MOBILedit!
2009-05-07 20:07 . 2007-02-22 06:15 12288 ----a-w c:\windows\system32\drivers\nmwcdcj.sys
2009-05-07 20:07 . 2007-02-22 06:15 12288 ----a-w c:\windows\system32\drivers\nmwcdcm.sys
2009-05-07 20:07 . 2007-02-22 06:15 8320 ----a-w c:\windows\system32\drivers\nmwcdc.sys
2009-05-07 20:07 . 2007-02-22 06:15 65536 ----a-w c:\windows\system32\nmwcdcocls.dll
2009-05-07 20:07 . 2007-02-22 06:15 137216 ----a-w c:\windows\system32\drivers\nmwcd.sys
2009-05-07 20:07 . 2007-02-22 06:15 90624 ----a-w c:\windows\system32\nmwcdcls.dll
2009-05-07 20:07 . 2009-05-07 20:07 -------- d-----w c:\program files\Nokia
2009-05-07 20:04 . 2009-05-07 20:04 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-06 13:22 . 2009-05-06 13:22 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\Ahead
2009-05-06 13:21 . 2009-05-06 13:21 -------- d-----w c:\documents and settings\Я\Application Data\Ahead
2009-05-06 13:21 . 2009-05-06 13:21 -------- d-----w c:\program files\Common Files\Ahead
2009-05-06 13:21 . 2009-05-06 13:21 -------- d-----w c:\program files\Nero
2009-05-05 14:02 . 2009-05-05 14:02 -------- d-----w c:\program files\Microsoft Works
2009-05-05 14:01 . 2009-05-05 14:01 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\Microsoft Help
2009-05-05 14:01 . 2009-05-05 14:01 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-05 13:58 . 2009-05-05 13:59 -------- d-----w c:\windows\system32\QuickTime
2009-05-05 13:58 . 2009-05-05 13:59 -------- d-----w c:\program files\QuickTime
2009-05-05 13:58 . 2009-05-05 13:58 -------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-05-05 13:58 . 2008-07-31 22:17 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-05-05 13:58 . 2008-07-31 22:17 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-05-05 13:58 . 2009-05-05 13:58 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\Google
2009-05-05 13:58 . 2009-05-05 13:58 -------- d-----w c:\windows\system32\IOSUBSYS
2009-05-05 13:58 . 2009-05-05 13:58 -------- d-----w c:\program files\Google
2009-05-05 13:55 . 2009-05-05 13:55 -------- d-----w c:\program files\Winamp
2009-05-05 13:54 . 2009-05-05 13:54 -------- d-----w c:\documents and settings\Я\Application Data\ACD Systems
2009-05-05 13:53 . 2009-05-05 13:53 -------- d-----w c:\documents and settings\Я\Local Settings\Application Data\ACD Systems
2009-05-05 13:53 . 2009-05-05 13:53 -------- d-----w c:\program files\Common Files\ACD Systems
2009-05-05 13:53 . 2009-05-05 13:53 10368 ----a-w c:\windows\system32\drivers\pfc.sys
2009-05-05 13:47 . 2009-05-05 13:47 -------- d-----w c:\windows\Downloaded Installations
2009-05-05 13:33 . 2009-05-05 13:33 -------- d-----w c:\documents and settings\Я\Application Data\CyberLink
2009-05-05 13:31 . 2009-05-05 13:31 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-05-05 13:31 . 2009-05-05 13:31 -------- d-----w c:\program files\CyberLink
2009-05-05 13:24 . 2008-12-03 07:35 16176 ------w c:\windows\system32\drivers\NVXBAR.SYS
2009-05-05 13:24 . 2008-12-03 07:35 141246 ------w c:\windows\system32\drivers\NVCAP.SYS
2009-05-05 13:23 . 2009-05-05 13:23 -------- d-----w c:\windows\system32\AGEIA
2009-05-05 13:23 . 2009-05-05 13:23 -------- d-----w c:\program files\AGEIA Technologies
2009-05-05 13:22 . 2009-05-05 13:22 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 13:22 . 2009-05-05 13:22 -------- d-----w c:\windows\nview
2009-05-05 13:22 . 2008-12-03 07:35 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-05-05 13:20 . 2009-05-05 13:20 -------- d-----w c:\windows\Logs
2009-05-05 13:20 . 2007-03-16 06:11 12256 ----a-w c:\windows\system32\drivers\TBPanel.sys
2009-05-05 13:20 . 2009-05-05 13:20 -------- d-----w c:\program files\Vtune
2009-05-05 13:13 . 2009-05-05 13:13 -------- d-----w c:\program files\VIA
2009-05-05 13:13 . 2007-04-11 07:35 331184 ------w c:\windows\system32\difxapi.dll
2009-05-05 13:13 . 2009-05-05 13:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-05 13:13 . 2008-06-25 16:47 36864 ----a-r c:\windows\system32\drivers\l1e51x86.sys
2009-05-05 13:13 . 2009-05-05 13:13 -------- d-----w c:\windows\system32\Atheros_L1e
2009-05-05 13:13 . 2009-05-05 13:13 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-05 13:11 . 2009-05-05 13:11 -------- d-----w c:\windows\system32\DRVSTORE
2009-05-05 13:11 . 2009-05-05 13:11 -------- d-----w c:\program files\Intel
2009-05-05 13:10 . 2009-05-05 13:10 -------- d-----w C:\Intel
2009-05-05 13:10 . 2004-08-13 10:56 5810 ----a-r c:\windows\system32\drivers\ASACPI.sys
2009-05-05 13:09 . 2007-12-28 07:22 10296 ----a-w c:\windows\system32\drivers\ASUSHWIO.SYS
2009-05-03 06:38 . 2009-05-03 06:38 -------- d-sh--w C:\Recycled
2009-05-03 06:28 . 2008-01-28 08:26 26496 ----a-w c:\windows\system32\dllcache\usbstor.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 20:46 . 1979-12-31 20:00 72344 ----a-w c:\windows\system32\perfc019.dat
2009-05-07 20:46 . 1979-12-31 20:00 438852 ----a-w c:\windows\system32\perfh019.dat
2009-04-30 19:38 . 2009-04-30 19:38 -------- d-----w c:\program files\microsoft frontpage
2009-04-30 19:38 . 2009-04-30 19:38 -------- d-----w c:\program files\MSXML 6.0
2009-04-30 19:38 . 2009-04-30 19:38 -------- d-----w c:\program files\MSXML 4.0
2009-04-30 19:38 . 2009-04-30 19:38 -------- d-----w c:\program files\msi InstallSource MSXML
2009-04-30 19:36 . 2009-04-30 19:36 22564 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-19 07:45 . 2008-08-18 09:27 93848 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-03-19 07:44 . 2009-03-19 07:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-19 07:41 . 2008-08-18 09:18 113960 ----a-w c:\windows\system32\drivers\eamon.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-05-15_10.49.23 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-18 15360]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-12-03 2158592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-05 98304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-03 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]
c:\documents and settings\All Users\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-13 113664]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [19.03.2009 11:44 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18.08.2008 13:27 93848]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [19.03.2009 11:44 731840]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [05.05.2009 17:13 36864]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [05.05.2009 17:14 238080]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [08.05.2009 0:09 31744]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yandex.ru/?clid=40316
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {719BE3BB-046A-41B4-A868-8B3555E92C63} = 195.98.64.65,195.98.64.66
TCP: {FB4776BB-EF70-4416-B9C5-6E2CF57E7AF5} = 195.98.64.65 195.98.64.66
FF - ProfilePath - c:\documents and settings\Я\Application Data\Mozilla\Firefox\Profiles\tdjybhw9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 15:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-15 15:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 11:26
ComboFix2.txt 2009-05-15 10:50
Pre-Run: 7 824 441 344 байт свободно
Post-Run: 7 817 158 656 байт свободно
195
rt