ComboFix 11-12-04.02 - User 04.12.2011 16:06:18.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2996.2085 [GMT 3:00]
Running from: c:\documents and settings\User\Рабочий стол\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Application Data\Yandex\Updater\praetorian.exe
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\cf
c:\documents and settings\User\Application Data\System.log
c:\documents and settings\User\Local Settings\Application Data\Yandex\Updater\praetorian.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\odbcad32.exe
c:\windows\system32\TZLog.log
.
.
((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
.
.
2011-12-03 06:50 . 2011-12-03 06:50 -------- d-----w- C:\rsit
2011-11-23 07:22 . 2011-12-03 17:46 -------- d-sh--w- C:\DrWeb Quarantine
2011-11-16 15:09 . 2011-11-16 15:09 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 13:55 . 2008-04-15 12:00 1571840 ----a-w- c:\windows\system32\sfcfiles.dll
2011-11-16 11:54 . 2008-04-15 12:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-15 . 0940D662B2E96A46421BC7B46DE95905 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2008-04-15 12:00 . 541E772835E2FC4161ABF0B0048681B2 . 1462784 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
[-] 2008-04-15 12:00 . 541E772835E2FC4161ABF0B0048681B2 . 1462784 . . [2001.12.4414.700] . . c:\windows\system32\dllcache\comres.dll
.
[-] 2008-04-15 . F5A8D2C43C4DF06DDA66586EAD83AC8C . 653312 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-04-15 . F5A8D2C43C4DF06DDA66586EAD83AC8C . 653312 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[-] 2008-04-15 . 54E5D7ACAB0EDFDBADC9BC60F1A4AA9D . 875008 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2008-04-15 . EF8160D6C77FC7E07437C19A1F7E0E67 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
.
[-] 2011-07-22 . 5ED6F7818C5A4793858E7C815FB92A2D . 3651584 . . [7.00.6000.21305] . . c:\windows\system32\mshtml.dll
[-] 2011-07-22 . 5ED6F7818C5A4793858E7C815FB92A2D . 3651584 . . [7.00.6000.21305] . . c:\windows\system32\dllcache\mshtml.dll
.
[-] 2008-04-15 . 230DC834A1EB3F3080763685B93FE686 . 577024 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-15 . 230DC834A1EB3F3080763685B93FE686 . 577024 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll
.
[-] 2008-04-15 . 7589C67E11FDB355BB6B22FC313EA99E . 897536 . . [7.00.6000.21302] . . c:\windows\system32\wininet.dll
[-] 2008-04-15 . 7589C67E11FDB355BB6B22FC313EA99E . 897536 . . [7.00.6000.21302] . . c:\windows\system32\dllcache\wininet.dll
.
[-] 2008-04-15 . 1BD126937C7C01CD5AB064F62646C501 . 2452480 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-15 . 1BD126937C7C01CD5AB064F62646C501 . 2452480 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
.
[-] 2008-04-15 . F8FF21F19A9862BF32E3100C940E6B27 . 215552 . . [5.1.2600.5512] . . c:\windows\regedit.exe
[-] 2008-04-15 . F8FF21F19A9862BF32E3100C940E6B27 . 215552 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regedit.exe
.
[-] 2008-04-15 . E880528ACB65C5E05EE7CF83B08464EA . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-15 . E880528ACB65C5E05EE7CF83B08464EA . 37376 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
.
[-] 2011-11-16 . 1B01DD5E85C13159388D7A58CFE9AB26 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2011-11-16 . 1B01DD5E85C13159388D7A58CFE9AB26 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll
.
[-] 2008-04-15 . 20CFE149EFB715352B83C6B542926224 . 625152 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll
[-] 2008-04-15 . 20CFE149EFB715352B83C6B542926224 . 625152 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\hnetcfg.dll
.
[-] 2008-04-15 . 6CE48E85DD628983830C736DD6C87EF8 . 2031616 . . [5.1.2600.6055] . . c:\windows\system32\ntkrnlpa.exe
[-] 2008-04-15 . 6CE48E85DD628983830C736DD6C87EF8 . 2031616 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntkrnlpa.exe
.
[-] 2008-04-15 . AB136C440EFAD349A61C83C0713D2A28 . 535832 . . [7.00.6000.21302] . . c:\windows\system32\dllcache\iexplore.exe
.
[-] 2008-04-15 . 267789E1F8A7A3BADFAE8EBCD5C3C423 . 2153472 . . [5.1.2600.6055] . . c:\windows\system32\ntoskrnl.exe
[-] 2008-04-15 . 267789E1F8A7A3BADFAE8EBCD5C3C423 . 2153472 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntoskrnl.exe
.
[-] 2008-04-15 . 6190A47A3C4B2F3D66DC270281C98A29 . 23552 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
[-] 2008-04-15 . 6190A47A3C4B2F3D66DC270281C98A29 . 23552 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\midimap.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C93F72A2-2162-4BBA-A07A-F13663C297A6}]
2011-10-06 10:46 2721080 ----a-w- c:\program files\Yandex\YandexBarIE\fastdial.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2011-10-06 12336440]
.
[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2011-10-06 12336440]
.
[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aml Maple"="c:\program files\AmlMaple\AmlMaple.exe" [2007-12-18 74240]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2009-01-11 132096]
"louderit.exe"="c:\program files\VolumeControl2\LouderIt.exe" [2008-02-19 41472]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-03-12 1280512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2011-02-17 20029032]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-03-09 62976]
"SpIDerMail"="c:\program files\DrWeb\spiderml.exe" [2010-08-03 1541360]
"SpIDerAgent"="c:\program files\DrWeb\SpIDerAgent.exe" [2010-07-29 1251056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 37376]
"Aml Maple"="c:\program files\AmlMaple\AmlMaple.exe" [2007-12-18 74240]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2009-01-11 132096]
"louderit.exe"="c:\program files\VolumeControl2\LouderIt.exe" [2008-02-19 41472]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Rebuild Icon Cache"="REBUILDI.EXE" [2011-05-26 350246]
.
c:\documents and settings\User\Главное меню\Программы\Автозагрузка\
Punto Switcher.lnk - c:\program files\Yandex\Punto Switcher\punto.exe [2011-11-14 1121640]
.
c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"InternetOpenWith"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"InternetOpenWith"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [16.11.2011 17:17 125304]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [15.04.2008 15:00 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [15.04.2008 15:00 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [15.04.2008 15:00 13616]
R0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys [16.11.2011 17:17 81400]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16.11.2011 17:57 691696]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [17.11.2011 14:40 33824]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [21.06.2010 15:50 1628504]
R2 HWDeviceService.exe;HWDeviceService.exe;c:\documents and settings\All Users\Application Data\DatacardService\HWDeviceService.exe [14.03.2011 18:27 271712]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [03.12.2011 16:29 366152]
R2 MySQLDelivery;MySQLDelivery;"c:\program files\Dazy\Delivery\MySQL\MySQL Server 5.1\bin\mysqld" "--defaults-file=c:\program files\Dazy\Delivery/MySQL/MySQL Server 5.1/my.ini" MySQLDelivery --> c:\program files\Dazy\Delivery\MySQL\MySQL Server 5.1\bin\mysqld [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [16.11.2011 17:35 101392]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [18.11.2011 12:58 73216]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [16.11.2011 17:29 228392]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [03.12.2011 16:29 22216]
S2 MegaFon Modem. RunOuc;MegaFon Modem. OUC;c:\program files\MegaFon Modem\UpdateDog\ouc.exe [18.11.2011 12:58 240640]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16.11.2011 17:29 1691480]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [16.11.2011 18:14 43688]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [18.11.2011 12:58 102784]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [18.11.2011 12:58 235392]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [16.11.2011 17:28 132480]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 utg4njgy;AVZ Kernel Driver;c:\windows\system32\drivers\utg4njgy.sys [03.12.2011 17:59 7168]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.03.2010 8:16 753504]
S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.03.2010 8:16 130384]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-16 c:\windows\Tasks\Dr.Web Daily scan.job
- c:\program files\DrWeb\drweb32w.exe [2010-05-14 13:35]
.
2011-12-04 c:\windows\Tasks\Dr.Web Update.job
- c:\program files\DrWeb\DrWebUpW.exe [2010-07-27 11:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yandex.ru?clid=41279
mStart Page = about
:blank
uInternet Connection Wizard,ShellNext = hxxp://dt-updates.com/activate?query=Q6IO32nMUESbqTEkt%2fPyXawlBOmk0PMQJca2nrGGWr1jdrn%2f%2bhTf7qNi1afp1dM%2fVS7%2f5bJFQ6v BfT%2f8dZhGCMNmQnj0OXeBWpLc%2bo1jk4yhlljotWsg8sIZga8EsR6gtWF52p1PV4n%2fsqN1HLnqyUfid9UtpFF8UI%2fzkOo ldOV014l6taXKpEzgWZEywRuv88BGVuNAJ6fbH5SxD%2fDkVpkL4vYQ5nJscw%2fTyEsulgXD1djiTpM94iHIyCBpANzRD0asdk2 hOUJjcVLIYX3ILD0741kmpZCDxzw48xh4ydLHHALehcTr3cn5zJCs%2bI0E
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\program files\DrWeb\drwebsp.dll
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Praetorian - c:\documents and settings\User\Local Settings\Application Data\Yandex\Updater\praetorian.exe
Notify-WgaLogon - (no file)
AddRemove-{C05D8CDB-417D-4335-A38C-A0659EDFD6B8} - c:\program files\InstallShield Installation Information\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-12-04 16:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
"ImagePath"="system32\drivers\dwprot.sys"
"Name"="ImagePath"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQLDelivery]
"ImagePath"="\"c:\program files\Dazy\Delivery\MySQL\MySQL Server 5.1\bin\mysqld\" \"--defaults-file=c:\program files\Dazy\Delivery/MySQL/MySQL Server 5.1/my.ini\" MySQLDelivery"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\system32\cscui.dll
c:\windows\system32\COMRes.dll
.
- - - - - - - > 'lsass.exe'(904)
c:\windows\system32\setupapi.dll
c:\program files\DrWeb\drwebsp.dll
.
- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\btmmhook.dll
c:\program files\VolumeControl2\LHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\assembly\NativeImages_v2.0.50727_32\QTAddressBar\dab1493c2d65d2ecbf916a0e44e6aab4\QTAddre ssBar.ni.dll
c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.SHDocVw\e6a8adf0ebf01e4368d200113ce81ec2\Inte rop.SHDocVw.ni.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.RUS
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\documents and settings\All Users\Application Data\MegaFon Modem\OnlineUpdate\ouc.exe
c:\program files\Dazy\Delivery\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-12-04 16:14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-04 13:14
.
Pre-Run: 29*013*336*064 байт свободно
Post-Run: 28*985*303*040 байт свободно
.
- - End Of File - - 76A7B684CDC0DFF6357C412753093161
