ComboFix 10-11-22.05 - Admin 23.11.2010 18:36:10.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.767.402 [GMT 3:00] Running from: d:\downloads\ComboFix.exe AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1.tmp C:\2.tmp C:\3.tmp C:\4.tmp C:\5.tmp C:\6.tmp C:\7.tmp C:\8.tmp c:\docume~1\Admin\LOCALS~1\Temp\71FA398C-EBEBB1DE-C0923213-A7000794\53666b.exe c:\docume~1\Admin\LOCALS~1\Temp\71FA398C-EBEBB1DE-C0923213-A7000794\54bb8_xp.exe c:\docume~1\Admin\LOCALS~1\Temp\71FA398C-EBEBB1DE-C0923213-A7000794\setup.dll c:\documents and settings\Admin\Local Settings\Temp\71FA398C-EBEBB1DE-C0923213-A7000794\53666b.exe c:\documents and settings\Admin\Local Settings\Temp\71FA398C-EBEBB1DE-C0923213-A7000794\54bb8_xp.exe c:\documents and settings\Admin\Local Settings\Temp\71FA398C-EBEBB1DE-C0923213-A7000794\setup.dll c:\windows\Delete.bat c:\windows\system32\Пузыри.scr . ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 ))))))))))))))))))))))))))))))) . 2010-11-23 14:32 . 2010-11-23 15:26 -------- d-----w- c:\documents and settings\Admin\DoctorWeb 2010-11-23 08:06 . 2010-11-23 08:31 -------- d-----w- c:\documents and settings\Admin\Application Data\VSO 2010-11-23 07:58 . 2010-11-23 07:58 -------- d-----w- c:\program files\VSO 2010-11-22 14:23 . 2010-11-23 07:19 -------- d-----w- c:\windows\Folder32 2010-11-12 09:46 . 2010-11-12 09:46 -------- d-----w- c:\program files\Common Files\b006b95a 2010-11-08 08:41 . 2010-11-08 08:41 -------- d-----w- c:\program files\Common Files\Java 2010-11-08 08:40 . 2010-09-15 01:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll 2010-11-08 08:40 . 2010-09-15 01:50 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-03 13:19 . 2010-11-03 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-06 16:07 . 2010-09-14 06:37 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys 2010-09-16 06:40 . 2010-09-16 06:40 29708 ----a-w- C:\cc_20100916_104004.reg 2010-09-14 23:29 . 2010-04-04 10:41 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-14 06:38 . 2010-09-14 06:38 53248 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe 2010-09-10 19:32 . 2008-06-19 20:12 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2010-02-16 8944968] [HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2010-02-16 8944968] [HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560] "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-04-24 30208] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "IE8_01"="shell32" [X] "ZZZZ2_FirstLogonSetting"="advpack.dll" [2009-04-24 128512] "IE8_02"="advpack.dll" [2009-04-24 128512] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\c58b4232.exe,c:\windows\system32\jimqjd.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2010-09-22 14:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher] 2010-09-23 00:42 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-20 19:07 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-09-23 00:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bonus.SSR.FR10] 2010-01-18 09:12 941320 ----a-w- c:\program files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-21 11:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-08-10 01:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBAntiVirus.exe] 2008-06-09 22:06 1257984 ----a-w- c:\program files\USBAntiVirus\USBAntiVirus.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VistaIcon] 2008-01-02 10:52 132096 ----a-w- c:\program files\VistaDriveIcon\VistaDrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 "UpdatesOverride"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\IEPro\\MiniDM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "14336:TCP"= 14336:TCP R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04.04.2010 13:41 721904] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [14.09.2010 9:36 10448] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27.05.2010 10:06 102448] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12.01.2008 17:32 23888] --- Other Services/Drivers In Memory --- *NewlyCreated* - WUAUSERV . Contents of the 'Scheduled Tasks' folder 2010-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 07:50] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uInternet Settings,ProxyOverride = *.local IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Добавить к существующему PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Добавить содержимое по ссылке в существующий файл PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Преобразовать в Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: Преобразовать содержимое по ссылке в PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html TCP: {E8189956-835C-4965-BAB4-D49AA400B7A5} = 83.220.35.98,83.220.43.42 FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\byk96i7h.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ru/ . - - - - ORPHANS REMOVED - - - - Toolbar-ITBar7Position - (no file) SafeBoot-Wdf01000.sys SafeBoot-Symantec Antvirus ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-23 18:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1715567821-1767777339-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,79,fe,b2,e8,51,e5,4d,a0,32,29,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,54,69,8b,ba,bd,3a,48,a7,db,4b,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,54,69,8b,ba,bd,3a,48,a7,db,4b,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(940) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\windows\system32\cscui.dll - - - - - - - > 'explorer.exe'(3696) c:\windows\system32\SHDOCVW.dll c:\program files\Mozilla Firefox\nspr4.dll c:\program files\Mozilla Firefox\plds4.dll c:\program files\Mozilla Firefox\plc4.dll c:\program files\Mozilla Firefox\sqlite3.dll c:\program files\Mozilla Firefox\nssutil3.dll c:\program files\Mozilla Firefox\softokn3.dll c:\program files\Mozilla Firefox\nss3.dll c:\program files\Mozilla Firefox\smime3.dll c:\windows\system32\COMRes.dll c:\windows\System32\cscui.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\webcheck.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll c:\windows\system32\NETSHELL.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\SOUNDMAN.EXE c:\windows\system32\wscntfy.exe c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE . ************************************************************************** . Completion time: 2010-11-23 19:00:40 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-23 16:00 Pre-Run: 8 855 638 016 байт свободно Post-Run: 8 882 974 720 байт свободно WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /execute /fastdetect - - End Of File - - E84F41BDD4E8B4071D3F6ADD1C3DCCFB