ComboFix 12-01-13.01 - Åâãåíèé 13.01.2012 15:10:56.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.2047.1394 [GMT 4:00] Running from: c:\documents and settings\+òóõýøù\Desktop\ü°úóv\ComboFix.exe AV: Àíòèâèðóñ Êàñïåðñêîãî *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\JustClicking c:\program files\JustClicking\JustClicking.exe c:\program files\KillSoft\KillCopy\kcresume.exe c:\windows\system32\1.exe c:\windows\system32\autorun.i c:\windows\system32\autorun.in c:\windows\system32\Com\Facebook.exe c:\windows\system32\Com\facebook.ico c:\windows\system32\Com\icomu.ico c:\windows\system32\Com\icopic.ico c:\windows\system32\Com\JustClicking.exe c:\windows\system32\Com\Music.exe c:\windows\system32\Com\Pictures.exe c:\windows\system32\Com\Setup.exe c:\windows\system32\csrcs.exe c:\windows\system32\drivers\etc\hosts.ics c:\windows\system32\FNM6.tmp . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_ABP470N5 -------\Service_abp470n5 . . ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 ))))))))))))))))))))))))))))))) . . 2012-01-13 08:18 . 2012-01-13 08:18 10240 ----a-w- c:\windows\system32\drivers\ujeznjux.sys 2012-01-13 08:17 . 2012-01-13 08:18 -------- d-----w- C:\avz4 2012-01-13 07:48 . 2012-01-13 07:48 7168 ----a-w- c:\windows\system32\drivers\uteznjux.sys 2012-01-13 07:42 . 2012-01-13 07:43 -------- d-----w- C:\rsit 2012-01-13 07:40 . 2012-01-13 07:40 461824 ----a-r- c:\documents and settings\Åâãåíèé\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-01-13 07:40 . 2012-01-13 07:40 -------- d-----w- c:\program files\Trend Micro 2012-01-11 09:20 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll 2012-01-11 09:20 . 2010-08-12 08:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2012-01-11 09:20 . 2010-06-08 16:10 790528 ----a-w- c:\windows\system32\xvidcore.dll 2012-01-11 09:20 . 2010-06-08 16:10 134144 ----a-w- c:\windows\system32\xvidvfw.dll 2012-01-11 09:20 . 2010-01-17 15:18 151552 ----a-w- c:\windows\system32\ac3acm.acm 2012-01-11 09:20 . 2008-09-24 18:41 839680 ----a-w- c:\windows\system32\lameACM.acm 2012-01-11 09:20 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll 2012-01-11 09:20 . 2012-01-11 09:20 -------- d-----w- c:\program files\K-Lite Codec Pack 2012-01-10 05:21 . 2012-01-10 05:21 -------- d--h--w- c:\windows\system32\GroupPolicy 2012-01-08 09:36 . 2012-01-08 09:36 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2012-01-08 09:36 . 2012-01-08 09:36 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2012-01-08 09:35 . 2012-01-08 09:35 -------- d-----w- c:\program files\Kaspersky Lab 2012-01-08 09:35 . 2012-01-08 09:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2012-01-08 09:23 . 2012-01-08 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2012-01-06 07:44 . 2012-01-06 07:44 -------- d-----w- c:\documents and settings\Åâãåíèé\Application Data\BabylonToolbar 2012-01-06 07:21 . 2012-01-08 09:17 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll 2012-01-06 07:20 . 2012-01-08 09:16 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll 2012-01-06 07:18 . 2012-01-06 07:18 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll 2012-01-06 07:18 . 2012-01-06 07:18 -------- d-----w- c:\documents and settings\Åâãåíèé\Local Settings\Application Data\Microsoft Help 2012-01-06 07:18 . 2012-01-06 07:18 -------- d-----w- c:\program files\Microsoft SDKs 2012-01-06 07:18 . 2012-01-08 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2012-01-06 07:18 . 2012-01-06 07:18 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2012-01-06 07:15 . 2012-01-06 07:15 -------- d-----w- c:\program files\Common Files\Corel 2012-01-06 07:15 . 2012-01-06 07:15 -------- d-----w- c:\program files\Common Files\Protexis 2012-01-06 07:15 . 2012-01-06 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel 2012-01-06 07:09 . 2012-01-06 07:09 -------- d-----w- c:\program files\Corel . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-27 11:00 . 2011-11-27 11:00 126976 ----a-r- c:\documents and settings\Åâãåíèé\Application Data\Microsoft\Installer\{361693F2-A153-4359-A4CB-A1B9FF2AA5E6}\Witness.exe1_361693F2A1534359A4CBA1B9FF2AA5E6.exe 2011-11-27 11:00 . 2011-11-27 11:00 122880 ----a-r- c:\documents and settings\Åâãåíèé\Application Data\Microsoft\Installer\{361693F2-A153-4359-A4CB-A1B9FF2AA5E6}\Witness.exe_361693F2A1534359A4CBA1B9FF2AA5E6.exe 2011-11-25 10:21 . 2011-11-25 10:21 536064 ----a-w- c:\windows\system32\RegShellSM.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Punto Switcher"="c:\program files\Punto Switcher\ps.exe" [2002-12-05 272384] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-14 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-14 13887080] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 128568] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 219648] "RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336] "2Gis Update Notifier"="c:\program files\2gis\3.0\2GISTrayNotifier.exe" [2011-02-28 4599128] "WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2008-03-05 315392] "Mkey.exe"="c:\program files\MKey\Mkey.exe" [2005-09-09 640000] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360] . c:\documents and settings\Åâãåíèé\Start Menu\Programs\Startup\ OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 461824] . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R270 Series] 2006-05-19 04:00 221184 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBNP.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo RX610 Series] 2007-03-30 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICLP.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\Miranda IM [Major KGB] [2.10]\\miranda32.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSRMon.exe"= "c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBNP.EXE"= "c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FARNBNP.EXE"= "c:\\WINDOWS\\system32\\taskmgr.exe"= "c:\\WINDOWS\\system32\\com\\Rar.exe"= "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin32\\nSvcAppFlt.exe"= . R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14.10.2009 21:18 36880] R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [11.11.2011 13:34 81920] R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [11.11.2011 13:34 2736128] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14.09.2009 14:42 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02.10.2009 19:39 19472] R3 MouseCap;MouseCapture Driver;c:\windows\system32\drivers\MouseCap.sys [08.08.2005 14:44 6640] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.03.2010 13:16 130384] S3 2GISUpdateService;2GIS UpdateService;c:\program files\2gis\3.0\2GISUpdateService.exe [28.02.2011 13:36 948056] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [25.01.2002 14:21 1684736] S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [24.01.2002 18:29 113280] S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [24.01.2002 18:29 100736] S3 ujeznjux;AVZ-SG Kernel Driver;c:\windows\system32\drivers\ujeznjux.sys [13.01.2012 12:18 10240] S3 uteznjux;AVZ Kernel Driver;c:\windows\system32\drivers\uteznjux.sys [13.01.2012 11:48 7168] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.03.2010 13:16 753504] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 . . ------- Supplementary Scan ------- . uStart Page = www.JustClicking.net mStart Page = hxxp://www.yahoo.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: Interfaces\{B00DC73B-D848-4D8A-A977-B7ED7E63D52D}: NameServer = 192.168.0.1 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-KillCopy - c:\program files\KillSoft\KillCopy\kcresume.exe HKLM-Run-WebSite - c:\program files\JustClicking\JustClicking.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-13 15:14 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3A615856-E172-434B-B75D-93E43E451E29}\InProcServer32*] "dbcmejjmaicgcpaagimdomhaifhphmgimpjhdhlc"=hex:6b,61,62,66,6a,67,66,66,6e,68, 6d,6f,6a,64,6d,6a,62,6b,70,6d,70,6c,00,00 "cbcmgipmpgenololchikdidneahlbnlhnjpldo"=hex:6b,61,65,6a,6d,67,61,6e,6c,62,6d, 65,6f,6d,6c,6a,63,68,6a,67,66,6f,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2928) c:\windows\system32\msi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\windows\System32\snmp.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe c:\windows\system32\RUNDLL32.EXE c:\windows\RTHDCPL.EXE c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin . ************************************************************************** . Completion time: 2012-01-13 15:16:17 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-13 11:16 . Pre-Run: 35 752 882 176 bytes free Post-Run: 35 911 135 232 bytes free . - - End Of File - - EC122503DA9A8A4E8FDCC7901F6CFC71