ComboFix 15-07-07.01 - gl-buh 07.07.2015 14:19:33.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2986.2294 [GMT 10:00]
Running from: C:\ComboFix.exe
AV: Doctor Web Anti-Virus *Disabled/Outdated* {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts1
c:\windows\system32\fdclient.dll
c:\windows\system32\winlogon.bak
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BD0001
-------\Legacy_BD0002
-------\Legacy_RADDRVV3
-------\Service_bd0001
-------\Service_bd0002
-------\Service_raddrvv3
.
.
((((((((((((((((((((((((( Files Created from 2015-06-07 to 2015-07-07 )))))))))))))))))))))))))))))))
.
.
2015-07-07 02:46 . 2015-07-07 03:00 -------- d-----w- c:\windows\system32\NtmsData
2015-07-03 04:29 . 2015-07-03 04:29 -------- d-----w- c:\documents and settings\gl-buh\Local Settings\Application Data\Torch
2015-07-03 04:29 . 2015-07-03 04:29 -------- d-----w- c:\documents and settings\gl-buh\Local Settings\Application Data\Orbitum
2015-07-03 04:29 . 2015-07-03 04:29 -------- d-----w- c:\documents and settings\gl-buh\Local Settings\Application Data\Kometa
2015-07-03 04:29 . 2015-07-03 04:29 -------- d-----w- c:\documents and settings\gl-buh\Local Settings\Application Data\Amigo
2015-07-02 01:53 . 2015-07-07 01:37 -------- d-----w- C:\СБиС++ Документооборот
2015-07-02 01:03 . 2015-07-02 01:03 -------- d-----w- c:\program files\TeamViewer
2015-07-01 06:15 . 2015-07-01 06:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2015-06-30 05:54 . 2015-07-06 00:40 -------- d-----w- C:\FRST
2015-06-25 23:36 . 2015-06-29 00:27 -------- d-----w- C:\AdwCleaner
2015-06-25 23:35 . 2015-06-25 22:59 2244096 ----a-w- C:\adwcleaner_4.207.exe
2015-06-24 23:37 . 2008-04-14 11:14 53120 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2015-06-24 23:11 . 2015-06-24 23:11 -------- d-----w- C:\7548001e97937d0c31c1d81c5da5
2015-06-13 01:29 . 2015-06-13 01:29 -------- d-sh--w- c:\documents and settings\gl-buh\PrivacIE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-06-23 20:41 . 2012-12-03 23:05 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-06-23 20:41 . 2012-12-03 23:05 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-06-23 20:41 . 2015-04-16 17:41 18174128 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-05-25 23:39 . 2008-04-15 12:00 509440 ----a-w- c:\windows\system32\winlogon.exe
2015-04-24 22:48 . 2015-04-24 22:48 8367276 ----a-w- C:\PCRADIO_4.0.5.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2015-05-25 . FAD4579B18A9E134B5BAC0A88874E2FD . 509440 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . B3B5D5855127E240C88451030AAEE76E . 509440 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sbis Launcher"="c:\documents and settings\gl-buh\Application Data\SbisLauncher\Launcher.exe" [2015-07-01 404040]
"SbisLoader"="c:\сбис++ документооборот\Мониторинг\SbisMon.exe" [2015-06-26 15944]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-02 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-02 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-02 145944]
"SpIDerAgent"="c:\program files\DrWeb\spideragent.exe" [2013-07-31 7540480]
"Linia Crash Reporter"="c:\program files\DevLine\Linia SKW\crash_reporter.exe" [2012-10-08 305152]
"eTMonitor"="c:\program files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe" [2009-12-31 230752]
"MegaFon_MegaFonInternet"="c:\program files\MegaFon\MegaFon Internet\MegaFonInternet.exe" [2014-04-29 408080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\gl-buh\Главное меню\Программы\Автозагрузка\
Запустить Radmin Server.lnk - c:\windows\system32\rserver30\rserver3.exe /start [2009-10-9 1242504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cpcsp]
2010-08-12 13:34 645704 ----a-w- c:\program files\Crypto Pro\CSP\cpcspi.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 wdigest cpssl
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DrWebEngine]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gl-buh^Главное меню^Программы^Автозагрузка^OpenOffice.org 3.4.1.lnk]
path=c:\documents and settings\gl-buh\Главное меню\Программы\Автозагрузка\OpenOffice.org 3.4.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.4.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTMonitor]
2009-12-31 00:17 230752 ----a-w- c:\program files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2010-08-11 03:31 40983152 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DevLine\\Linia SKW\\kernel.exe"=
"c:\\Program Files\\DevLine\\Linia SKW\\oopnet.exe"=
"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"475:TCP"= 475:TCP:HASP LM 475 TCP
"475:UDP"= 475:UDP:HASP LM 475 UDP
"3587:TCP"= 3587:TCP:Группирование одноранговой сети Windows
"3540:UDP"= 3540:UDP
NRP-протокол (Peer Name Resolution Protocol)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [12.11.2012 10:41 234240]
R0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys [12.11.2012 10:41 167128]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [12.11.2012 21:01 2279808]
R1 bd0004;bd0004;c:\windows\system32\drivers\bd0004.sys [19.11.2014 17:10 183112]
R1 BDMWrench;BDMWrench;c:\windows\system32\drivers\BDMWrench.sys [25.02.2015 12:20 253000]
R1 CProCtrl;КриптоПро CSP драйвер;c:\windows\system32\drivers\CProCtrl.sys [02.08.2010 23:36 56144]
R1 DrWebWfp;DrWebWfp;c:\windows\system32\drivers\dw_wfp.sys [12.11.2012 10:41 57088]
R2 BDArKit;BDArKit;c:\windows\system32\drivers\BDArKit.SYS [19.02.2015 12:08 145224]
R2 BDSGRTP;BDSGRTP Service;c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.619\BaiduProtect.exe [19.11.2014 17:10 1931880]
R2 Consult;Consult;c:\windows\system32\drivers\Consult.sys [12.11.2012 9:54 3008]
R2 cpcsp1;КриптоПро CSP KC1;c:\windows\system32\svchost.exe -k cpcsp [15.04.2008 22:00 14336]
R2 DrWebAVService;Dr.Web Control Service;c:\program files\DrWeb\dwservice.exe --loglevel=inf --logfile="c:\documents and settings\All Users\Application Data\Doctor Web\Logs\dwservice.log" --> c:\program files\DrWeb\dwservice.exe --loglevel=inf --logfile=c:\documents and settings\All Users\Application Data\Doctor Web\Logs\dwservice.log [?]
R2 eTSrv;ETOKSRV;c:\program files\Aladdin\eToken\PKIClient\x32\eTSrv.exe [31.12.2009 10:17 12640]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_0\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_2_0\bin\fbguard.exe -s [?]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [20.02.2015 19:14 77824]
R3 RTIFDH;RTIFDH;c:\windows\system32\drivers\rtIFDH.sys [12.11.2012 9:01 13312]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [12.11.2012 7:51 2127728]
S?2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
S2 1C:Enterprise 8.3 Server Agent;Агент сервера 1С:Предприятия 8.3;c:\program files\1cv8\8.3.5.1383\bin\ragent.exe [12.12.2014 18:12 38704]
S3 4587FE86859F2704;4587FE86859F2704;\??\c:\documents and settings\gl-buh\local settings\temp\25336956.sys --> c:\documents and settings\gl-buh\local settings\temp\25336956.sys [?]
S3 4587FE8703B50B22;4587FE8703B50B22;\??\c:\documents and settings\gl-buh\local settings\temp\DFE9D538.sys --> c:\documents and settings\gl-buh\local settings\temp\DFE9D538.sys [?]
S3 AKSUP;AKSUP;c:\windows\system32\drivers\aksup.sys [29.12.2014 10:33 34472]
S3 cglptnt;cglptnt;c:\totalcmd\CGLPTNT.SYS [26.02.2013 8:06 7888]
S3 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [12.11.2012 10:41 1913680]
S3 DrWebNetFilter;Dr.Web Net Filtering Service;c:\program files\DrWeb\dwnetfilter.exe [12.11.2012 10:41 2226528]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [20.02.2015 19:14 95232]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\drivers\ew_usbenumfilter.sys [20.02.2015 19:14 11904]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_0\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_2_0\bin\fbserver.exe -s [?]
S3 hwusb_cdcacm;hwusb_cdcacm;c:\windows\system32\drivers\ew_cdcacm.sys [20.02.2015 19:14 110848]
S3 hwusb_cdcecm;hwusb_cdcecm;c:\windows\system32\drivers\ew_cdcecm.sys [20.02.2015 19:14 117888]
S4 HASP Loader;HASP Loader;c:\windows\system32\nhsrvice.exe -service --> c:\windows\system32\nhsrvice.exe -service [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
cpcsp REG_MULTI_SZ cpcsp1
AudioDrv REG_MULTI_SZ wsaudio
Intel(R) REG_MULTI_SZ ihctrl32
.
Contents of the 'Scheduled Tasks' folder
.
2015-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-03 20:41]
.
2012-11-12 c:\windows\Tasks\Dr.Web Daily scan.job
- c:\program files\DrWeb\dwscanner.exe [2012-11-12 00:41]
.
2015-06-08 c:\windows\Tasks\Уведомление о завершении поддержки Microsoft Windows XP ежемесячно.job
- c:\windows\system32\xp_eos.exe [2015-05-13 23:28]
.
2015-07-07 c:\windows\Tasks\Уведомлением о завершении поддержки Microsoft Windows XP при входе.job
- c:\windows\system32\xp_eos.exe [2015-05-13 23:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.ru/cnt/10445?gp=openpart5
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{CA3598F1-0341-4148-BE8C-B51B307F6FD0}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\gl-buh\Application Data\Mozilla\Firefox\Profiles\r10zxv7n.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.ru/cnt/10445?gp=openpart5
FF - prefs.js: keyword.URL - hxxp://go.mail.ru/search?fr=ntg&q=
/*
* Mozilla user config file
* Always enable SbisPluginClient
*/
FF - user.js: plugin.state.npsbispluginclient - 2
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-amigo - c:\documents and settings\gl-buh\Local Settings\Application Data\Amigo\Application\amigo.exe
MSConfigStartUp-BaiduClient - c:\documents and settings\gl-buh\AppData\Local\Baidu\Baidu\1.3.1.157\Baidu.exe
MSConfigStartUp-MailRuUpdater - c:\documents and settings\gl-buh\Local Settings\Application Data\MailRu\MailRuUpdater.exe
MSConfigStartUp-pcket_x64 - c:\program files\BaiduEx\uninit.exe
MSConfigStartUp-pcket_x86 - c:\program files (x86)\BaiduEx\uninit.exe
MSConfigStartUp-pr - c:\program files\Cверка_май_2015.scr
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2015-07-07 14:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-1844823847-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1229272821-1844823847-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\program files\Crypto Pro\CSP\detoured.dll
.
- - - - - - - > 'lsass.exe'(836)
c:\program files\Crypto Pro\CSP\detoured.dll
.
- - - - - - - > 'explorer.exe'(304)
c:\windows\system32\WININET.dll
c:\program files\Crypto Pro\CSP\detoured.dll
.
- - - - - - - > 'csrss.exe'(756)
c:\program files\Crypto Pro\CSP\detoured.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\System32\appdrvrem01.exe
c:\program files\Firebird\Firebird_2_0\bin\fbguard.exe
c:\program files\MegaFon\MegaFon Internet\MegaFonInternetService.exe
c:\windows\system32\rserver30\RServer3.exe
c:\program files\DevLine\Linia SKW\kernel.exe
c:\program files\DevLine\Linia SKW\dumper.exe
c:\program files\DevLine\Linia SKW\oopnet.exe
c:\program files\TeamViewer\Version9\TeamViewer_Service.exe
c:\windows\system32\rserver30\FamItrfc.Exe
c:\c:\WINDOWS\system32\rserver30\rserver3.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2015-07-07 14:26:49 - machine was rebooted
ComboFix-quarantined-files.txt 2015-07-07 04:26
.
Pre-Run: 56*649*584*640 байт свободно
Post-Run: 58*540*961*792 байт свободно
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect
.
- - End Of File - - 987415B266B5B53D01CAF1D3026861E9
8F558EB6672622401DA993E1E865C861
Скрыть