Добър ден! Днес антивирусната ми програма Avast започна изведнъж да намира вирус след вирус. Името на вируса навсякъде беше TR/sirefef.BP.1. Засичаше вируси през 20-30 секунди в system32 и реших да спра компютъра директно. Пробвах да направя в safe mode препоръчани в интернет решения, но все не се получава нещо. В момента пиша от друг компютър в нас, а заразения е спрян. Ако трябва ще постна логове, но първо пиша за да знам примерно дали може в safe mode и ако не - как. Благодаря предварително! ПП: Забравих да спомена, че като почна да намира вируси, компютъра се забави, а интернета въобще не искаше да зарежда (не зареждаше никакви сайтове).

Редактирано 10 март 201214 г. от KaWaii (преглед на промените)

И отново за днес ще насоча към темата: http://www.kaldata.com/forums/index.php?showtopic=132819

Там колегите ще помогнат.

Ще пробвам тази програма, а ако не стане ще сканирам. Между другото нов симптом е, че вече въобще не може да се стартира компютъра нормално (само сейф мод-иначе излиза син екран).

СТЪПКА 1

Моля изтеглете последната версия на TDSSKiller оттук и я запазете на вашия декстоп.

• Стартирайте TDSSKiller.exe за да стартирате приложението. След това кликнете върху бутона Change parameters.

  

• Сложете отметки пред Verify Driver Digital Signature и Detect TDLFS file system и натиснете ОК.

  

• Натиснете бутона Start Scan.

  

• Ако подозрителен обект бъде засечен, действието по подразбиране ще бъде Skip, кликнете върху Continue.

  

• Ако зловредни обекти бъдат намерени, тогава от падащото меню ще имате три възможности.

  Бъдете сигурни, че избраното действие е Cure и натиснете върху Continue > Рестартирайте за да бъде завършена поправката.

  

  Забележка: Ако Cure бутона не е наличен от възможностите, тогава моля изберете Skip бутона, не избирайте Delete освен ако не сте инструктирани затова.

• Лог файл ще бъде създаден в свободната директория на дял C: . Потърсете за лог с името "TDSSKiller.[Version]_[Date]_[Time]_log.txt" и копирайте съдържанието му в следващия си пост.

СТЪПКА 2

1. Изтеглете ComboFix от BleepingComputer

и го запазете (бутон Save -> Save as) ComboFix на вашия десктоп:

След приключване на изтеглянето на ComboFix, иконката на програмата би трябвало да изглежда така:

2. Затворете всички работещи приложения, отворени прозорци и програми работещи във фонов режим. Спрете временно защитата в реално време на антивирусната програма и на другите програми за сигурност, ако има такива.

3. Стартирайте с двоен клик Combofix.exe. Изберете YES, за да се съгласите с условията за използване на програмата. Важно: По време на работата на ComboFix не бива да се движи мишката и да се натискат клавиши от клавиатурата. Просто търпеливо оставете ComboFix да си свърши работата, без да използвате компютъра за други цели.

4. ComboFix ще провери дали Windows Recovery Console e инсталиранa.

*Ако Windows Recovery Console не е инсталирана, ще е необходимо да използвате YES за инсталация на Windows Recovery Console

*Ако Windows Recovery Console е инсталирана, ComboFix ще продължи работата си.

Забележка: Необходимо е да сте свързани към Интернет за да може Windows Recovery Console да се изтегли.

След инсталация на Windows Recovery Console потвърдете с YES, за да продължите напред. Снимка:

5. ComboFix ще спре временно Интернет връзката, но след като приключи работата на програмата тази връзка ще бъде възстановена автоматично. ComboFix ще сканира за проблеми и за заразени файлове, като това може да отнеме известно време. Моля да бъдете търпеливи. Ако има проблем с Интернет връзката след приключване на работата на Combofix, моля да прочетете това: Manually restoring the Internet connection section.

6. Когато работата на ComboFix приключи, ще се появи текстов документ (log) в Notepad:

Копирайте с (Copy) и поставете с (Paste) съдържанието на лога в следващия си коментар.

В следващия си коментар, моля включете следните лог файлове

• Лог файлът от TDSSKiller
• Лог файлът от ComboFix

Само да попитам това всичкото може да стане в сейф мод нали? Защото както казах вече нямам достъп до нормален режим.

Да, може.

Лога от TDSSKiller

16:14:50.0103 0708 TDSS rootkit removing tool 2.7.19.0 Mar  5 2012 11:23:39
16:14:50.0869 0708 ============================================================
16:14:50.0869 0708 Current date / time: 2012/03/10 16:14:50.0869
16:14:50.0869 0708 SystemInfo:
16:14:50.0869 0708
16:14:50.0869 0708 OS Version: 5.1.2600 ServicePack: 2.0
16:14:50.0869 0708 Product type: Workstation
16:14:50.0869 0708 ComputerName: HOME-AC5CE86EB3
16:14:50.0869 0708 UserName: home
16:14:50.0869 0708 Windows directory: C:\WINDOWS
16:14:50.0869 0708 System windows directory: C:\WINDOWS
16:14:50.0869 0708 Processor architecture: Intel x86
16:14:50.0869 0708 Number of processors: 2
16:14:50.0869 0708 Page size: 0x1000
16:14:50.0869 0708 Boot type: Normal boot
16:14:50.0869 0708 ============================================================
16:14:53.0884 0708 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:14:53.0900 0708 Drive \Device\Harddisk1\DR4 - Size: 0x3C3FFE00 (0.94 Gb), SectorSize: 0x200, Cylinders: 0x7A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
16:14:53.0900 0708 \Device\Harddisk0\DR0:
16:14:53.0900 0708 MBR used
16:14:53.0900 0708 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC34F28D
16:14:53.0915 0708 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xC34F30B, BlocksNum 0xCD1578B
16:14:53.0931 0708 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x19064AD5, BlocksNum 0xC3C4D2B
16:14:53.0931 0708 \Device\Harddisk1\DR4:
16:14:53.0931 0708 MBR used
16:14:53.0931 0708 \Device\Harddisk1\DR4\Partition0: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x1E1FC0
16:14:54.0072 0708 Initialize success
16:14:54.0072 0708 ============================================================
16:15:10.0335 3956 ============================================================
16:15:10.0335 3956 Scan started
16:15:10.0335 3956 Mode: Manual; SigCheck; TDLFS;
16:15:10.0335 3956 ============================================================
16:15:10.0585 3956 Aavmker4		(473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
16:15:23.0412 3956 Aavmker4 - ok
16:15:23.0474 3956 Abiosdsk - ok
16:15:23.0474 3956 abp480n5 - ok
16:15:23.0521 3956 ACPI			(a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:15:23.0787 3956 ACPI - ok
16:15:23.0865 3956 ACPIEC		  (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:15:24.0036 3956 ACPIEC - ok
16:15:24.0083 3956 adpu160m - ok
16:15:24.0115 3956 aec			 (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
16:15:24.0583 3956 aec - ok
16:15:24.0677 3956 AFD			 (944ca435bfcfc82cc1ed9e3a7d731aa9) C:\WINDOWS\System32\drivers\afd.sys
16:15:24.0771 3956 AFD - ok
16:15:24.0802 3956 Aha154x - ok
16:15:24.0818 3956 aic78u2 - ok
16:15:24.0818 3956 aic78xx - ok
16:15:24.0849 3956 AliIde - ok
16:15:24.0943 3956 Ambfilt		 (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
16:15:25.0005 3956 Ambfilt - ok
16:15:25.0052 3956 AmdK8		   (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
16:15:25.0083 3956 AmdK8 - ok
16:15:25.0083 3956 AmdLLD - ok
16:15:25.0099 3956 amsint - ok
16:15:25.0114 3956 Arp1394		 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:15:25.0302 3956 Arp1394 - ok
16:15:25.0333 3956 asc - ok
16:15:25.0349 3956 asc3350p - ok
16:15:25.0380 3956 asc3550 - ok
16:15:25.0411 3956 aswFsBlk		(0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
16:15:25.0427 3956 aswFsBlk - ok
16:15:25.0458 3956 aswMon2		 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
16:15:25.0458 3956 aswMon2 - ok
16:15:25.0505 3956 AswRdr		  (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\AswRdr.sys
16:15:25.0521 3956 AswRdr - ok
16:15:25.0568 3956 aswSnx		  (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
16:15:25.0599 3956 aswSnx - ok
16:15:25.0630 3956 aswSP		   (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
16:15:25.0661 3956 aswSP - ok
16:15:25.0677 3956 aswTdi		  (6ff544175a9180c5d88534d3d9c9a9f7) C:\WINDOWS\system32\drivers\aswTdi.sys
16:15:25.0693 3956 aswTdi - ok
16:15:25.0708 3956 AsyncMac		(02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:15:25.0896 3956 AsyncMac - ok
16:15:25.0958 3956 atapi		   (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:15:26.0130 3956 atapi - ok
16:15:26.0161 3956 Atdisk - ok
16:15:26.0255 3956 ati2mtag		(8a7ac68fbeabcca05e5811157f52853e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:15:26.0380 3956 ati2mtag - ok
16:15:26.0442 3956 Atmarpc		 (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:15:26.0599 3956 Atmarpc - ok
16:15:26.0646 3956 audstub		 (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:15:26.0817 3956 audstub - ok
16:15:26.0849 3956 avgntflt - ok
16:15:26.0880 3956 bbcap		   (709fbe6eced1c3259d2b50bb0520b765) C:\WINDOWS\system32\DRIVERS\bbcap.sys
16:15:26.0911 3956 bbcap - ok
16:15:26.0942 3956 Beep			(da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:15:27.0099 3956 Beep - ok
16:15:27.0161 3956 cbidf2k		 (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:15:27.0333 3956 cbidf2k - ok
16:15:27.0380 3956 cd20xrnt - ok
16:15:27.0395 3956 Cdaudio		 (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:15:27.0567 3956 Cdaudio - ok
16:15:27.0645 3956 Cdfs			(cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
16:15:28.0005 3956 Cdfs - ok
16:15:28.0067 3956 Cdrom		   (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:15:28.0239 3956 Cdrom - ok
16:15:28.0286 3956 Changer - ok
16:15:28.0317 3956 CmdIde - ok
16:15:28.0333 3956 Cpqarray - ok
16:15:28.0411 3956 cpuz130 - ok
16:15:28.0411 3956 cpuz135 - ok
16:15:28.0442 3956 dac2w2k - ok
16:15:28.0473 3956 dac960nt - ok
16:15:28.0489 3956 ddsxeiservice - ok
16:15:28.0552 3956 Disk			(00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
16:15:28.0755 3956 Disk - ok
16:15:28.0833 3956 dmboot		  (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
16:15:29.0036 3956 dmboot - ok
16:15:29.0114 3956 dmio			(f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
16:15:29.0286 3956 dmio - ok
16:15:29.0348 3956 dmload		  (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:15:29.0520 3956 dmload - ok
16:15:29.0583 3956 DMusic		  (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
16:15:29.0786 3956 DMusic - ok
16:15:29.0848 3956 dpti2o - ok
16:15:29.0879 3956 drmkaud		 (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
16:15:30.0051 3956 drmkaud - ok
16:15:30.0129 3956 Fastfat		 (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
16:15:30.0317 3956 Fastfat - ok
16:15:30.0379 3956 Fdc			 (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:15:30.0551 3956 Fdc - ok
16:15:30.0645 3956 Fips			(e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
16:15:30.0832 3956 Fips - ok
16:15:30.0895 3956 Flpydisk		(0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:15:31.0082 3956 Flpydisk - ok
16:15:31.0176 3956 FltMgr		  (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
16:15:31.0770 3956 FltMgr - ok
16:15:31.0848 3956 Fs_Rec		  (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:15:32.0020 3956 Fs_Rec - ok
16:15:32.0067 3956 Ftdisk		  (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:15:32.0239 3956 Ftdisk - ok
16:15:32.0317 3956 GarenaPEngine - ok
16:15:32.0348 3956 gdrv - ok
16:15:32.0410 3956 GEARAspiWDM	 (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
16:15:32.0426 3956 GEARAspiWDM - ok
16:15:32.0442 3956 GGSAFERDriver - ok
16:15:32.0457 3956 GMSIPCI - ok
16:15:32.0473 3956 Gpc			 (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:15:32.0645 3956 Gpc - ok
16:15:32.0692 3956 hamachi		 (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
16:15:32.0692 3956 hamachi - ok
16:15:32.0739 3956 HDAudBus		(3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:15:32.0754 3956 HDAudBus - ok
16:15:32.0801 3956 HidUsb		  (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:15:32.0973 3956 HidUsb - ok
16:15:33.0020 3956 hpn - ok
16:15:33.0067 3956 HPZid412		(30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
16:15:33.0082 3956 HPZid412 - ok
16:15:33.0129 3956 HPZipr12		(efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
16:15:33.0145 3956 HPZipr12 - ok
16:15:33.0176 3956 HPZius12		(7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
16:15:33.0207 3956 HPZius12 - ok
16:15:33.0254 3956 HTTP			(cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
16:15:33.0785 3956 HTTP - ok
16:15:33.0832 3956 i2omgmt - ok
16:15:33.0848 3956 i2omp - ok
16:15:33.0895 3956 i8042prt		(5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:15:34.0066 3956 i8042prt - ok
16:15:34.0176 3956 Imapi		   (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:15:34.0316 3956 Imapi - ok
16:15:34.0348 3956 ini910u - ok
16:15:34.0520 3956 IntcAzAudAddService (1511286a30ac4f74f5e9aac182bbefbc) C:\WINDOWS\system32\drivers\RtkHDAud.sys
16:15:34.0769 3956 IntcAzAudAddService - ok
16:15:34.0801 3956 IntelIde - ok
16:15:34.0832 3956 Ip6Fw		   (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
16:15:35.0004 3956 Ip6Fw - ok
16:15:35.0066 3956 IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:15:35.0223 3956 IpFilterDriver - ok
16:15:35.0285 3956 IpInIp		  (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:15:35.0457 3956 IpInIp - ok
16:15:35.0519 3956 IpNat		   (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:15:36.0051 3956 IpNat - ok
16:15:36.0129 3956 IPSec		   (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:15:36.0301 3956 IPSec - ok
16:15:36.0363 3956 IRENUM		  (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:15:36.0472 3956 IRENUM - ok
16:15:36.0551 3956 isapnp		  (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:15:36.0707 3956 isapnp - ok
16:15:36.0769 3956 Kbdclass		(ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:15:36.0925 3956 Kbdclass - ok
16:15:37.0004 3956 kmixer		  (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
16:15:37.0613 3956 kmixer - ok
16:15:37.0644 3956 KSecDD		  (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
16:15:37.0800 3956 KSecDD - ok
16:15:37.0847 3956 lbrtfdc - ok
16:15:37.0894 3956 MBAMProtector   (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
16:15:37.0894 3956 MBAMProtector - ok
16:15:37.0941 3956 mnmdd		   (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:15:38.0097 3956 mnmdd - ok
16:15:38.0160 3956 Modem		   (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
16:15:38.0316 3956 Modem - ok
16:15:38.0425 3956 Monfilt		 (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
16:15:38.0488 3956 Monfilt - ok
16:15:38.0519 3956 Mouclass		(34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:15:38.0691 3956 Mouclass - ok
16:15:38.0722 3956 mouhid		  (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:15:38.0894 3956 mouhid - ok
16:15:38.0988 3956 MountMgr		(65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
16:15:39.0144 3956 MountMgr - ok
16:15:39.0191 3956 mraid35x - ok
16:15:39.0238 3956 MRxDAV		  (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:15:39.0363 3956 MRxDAV - ok
16:15:39.0456 3956 MRxSmb		  (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:15:39.0488 3956 MRxSmb - ok
16:15:39.0535 3956 Msfs			(561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
16:15:39.0706 3956 Msfs - ok
16:15:39.0784 3956 MSKSSRV		 (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:15:39.0941 3956 MSKSSRV - ok
16:15:40.0019 3956 MSPCLOCK		(13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:15:40.0191 3956 MSPCLOCK - ok
16:15:40.0238 3956 MSPQM		   (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
16:15:40.0394 3956 MSPQM - ok
16:15:40.0472 3956 mssmbios		(469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:15:40.0628 3956 mssmbios - ok
16:15:40.0706 3956 Mup			 (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
16:15:40.0894 3956 Mup - ok
16:15:40.0956 3956 NDIS			(558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
16:15:41.0112 3956 NDIS - ok
16:15:41.0253 3956 NdisTapi		(08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:15:41.0409 3956 NdisTapi - ok
16:15:41.0441 3956 Ndisuio		 (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:15:41.0597 3956 Ndisuio - ok
16:15:41.0675 3956 NdisWan		 (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:15:41.0831 3956 NdisWan - ok
16:15:41.0878 3956 NDProxy		 (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
16:15:42.0034 3956 NDProxy - ok
16:15:42.0175 3956 NetBIOS		 (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:15:42.0315 3956 NetBIOS - ok
16:15:42.0378 3956 NetBT		   (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:15:42.0550 3956 NetBT - ok
16:15:42.0628 3956 NIC1394		 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:15:42.0753 3956 NIC1394 - ok
16:15:42.0847 3956 nm			  (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
16:15:43.0003 3956 nm - ok
16:15:43.0065 3956 Npfs			(4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
16:15:43.0222 3956 Npfs - ok
16:15:43.0268 3956 NPPTNT2		 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
16:15:43.0347 3956 NPPTNT2 ( UnsignedFile.Multi.Generic ) - warning
16:15:43.0347 3956 NPPTNT2 - detected UnsignedFile.Multi.Generic (1)
16:15:43.0393 3956 Ntfs			(19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
16:15:43.0940 3956 Ntfs - ok
16:15:43.0987 3956 Null			(73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:15:44.0143 3956 Null - ok
16:15:44.0471 3956 nv			  (6733e80a193fc36f41c24142b0c45c0e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:15:44.0846 3956 nv - ok
16:15:44.0940 3956 NVENETFD		(a12ec731bb00adad2d016d41c1f18fa4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
16:15:44.0956 3956 NVENETFD - ok
16:15:44.0956 3956 nvnetbus		(5dc6a149897820de315916b6ec984ec9) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
16:15:44.0987 3956 nvnetbus - ok
16:15:45.0049 3956 NwlnkFlt		(b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:15:45.0237 3956 NwlnkFlt - ok
16:15:45.0299 3956 NwlnkFwd		(c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:15:45.0440 3956 NwlnkFwd - ok
16:15:45.0518 3956 ohci1394		(0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:15:45.0674 3956 ohci1394 - ok
16:15:45.0721 3956 Parport		 (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
16:15:45.0877 3956 Parport - ok
16:15:45.0956 3956 PartMgr		 (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
16:15:46.0096 3956 PartMgr - ok
16:15:46.0143 3956 ParVdm		  (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:15:46.0284 3956 ParVdm - ok
16:15:46.0362 3956 PCI			 (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
16:15:46.0502 3956 PCI - ok
16:15:46.0549 3956 PCIDump - ok
16:15:46.0596 3956 PCIIde		  (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:15:46.0752 3956 PCIIde - ok
16:15:46.0799 3956 Pcmcia		  (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:15:46.0971 3956 Pcmcia - ok
16:15:47.0018 3956 PDCOMP - ok
16:15:47.0034 3956 PDFRAME - ok
16:15:47.0034 3956 PDRELI - ok
16:15:47.0065 3956 PDRFRAME - ok
16:15:47.0065 3956 perc2 - ok
16:15:47.0080 3956 perc2hib - ok
16:15:47.0143 3956 PptpMiniport	(1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:15:47.0299 3956 PptpMiniport - ok
16:15:47.0377 3956 Processor	   (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
16:15:47.0533 3956 Processor - ok
16:15:47.0596 3956 PSched		  (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
16:15:47.0768 3956 PSched - ok
16:15:47.0815 3956 Ptilink		 (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:15:47.0955 3956 Ptilink - ok
16:15:48.0002 3956 PxHelp20		(e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:15:48.0002 3956 PxHelp20 - ok
16:15:48.0018 3956 ql1080 - ok
16:15:48.0033 3956 Ql10wnt - ok
16:15:48.0049 3956 ql12160 - ok
16:15:48.0080 3956 ql1240 - ok
16:15:48.0112 3956 ql1280 - ok
16:15:48.0158 3956 RasAcd		  (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:15:48.0299 3956 RasAcd - ok
16:15:48.0362 3956 Rasl2tp		 (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:15:48.0518 3956 Rasl2tp - ok
16:15:48.0596 3956 RasPppoe		(7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:15:48.0752 3956 RasPppoe - ok
16:15:48.0768 3956 Raspti		  (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:15:48.0924 3956 Raspti - ok
16:15:49.0002 3956 Rdbss		   (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:15:49.0580 3956 Rdbss - ok
16:15:49.0658 3956 RDPCDD		  (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:15:49.0814 3956 RDPCDD - ok
16:15:49.0893 3956 rdpdr		   (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:15:50.0049 3956 rdpdr - ok
16:15:50.0111 3956 RDPWD		   (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
16:15:50.0674 3956 RDPWD - ok
16:15:50.0736 3956 redbook		 (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:15:50.0877 3956 redbook - ok
16:15:51.0033 3956 RTHDMIAzAudService (55dc71f0cfe9e74c4f34434f9acd61dc) C:\WINDOWS\system32\drivers\RtHDMI.sys
16:15:51.0158 3956 RTHDMIAzAudService - ok
16:15:51.0221 3956 RTLE8023xp	  (25be98c05808c57e4d8d26477dc12d39) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
16:15:51.0252 3956 RTLE8023xp - ok
16:15:51.0283 3956 Secdrv		  (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:15:51.0845 3956 Secdrv - ok
16:15:51.0924 3956 Serenum		 (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:15:52.0080 3956 Serenum - ok
16:15:52.0127 3956 Serial		  (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
16:15:52.0283 3956 Serial - ok
16:15:52.0345 3956 Sfloppy		 (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:15:52.0502 3956 Sfloppy - ok
16:15:52.0548 3956 Simbad - ok
16:15:52.0580 3956 Sparrow - ok
16:15:52.0627 3956 splitter		(0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
16:15:53.0189 3956 splitter - ok
16:15:53.0252 3956 sptd			(cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
16:15:53.0252 3956 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
16:15:53.0252 3956 sptd ( LockedFile.Multi.Generic ) - warning
16:15:53.0252 3956 sptd - detected LockedFile.Multi.Generic (1)
16:15:53.0283 3956 sr			  (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
16:15:53.0392 3956 sr - ok
16:15:53.0470 3956 Srv			 (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
16:15:53.0501 3956 Srv - ok
16:15:53.0548 3956 ssmdrv		  (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
16:15:53.0548 3956 ssmdrv - ok
16:15:53.0595 3956 swenum		  (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:15:53.0720 3956 swenum - ok
16:15:53.0798 3956 swmidi		  (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
16:15:53.0955 3956 swmidi - ok
16:15:53.0970 3956 symc810 - ok
16:15:54.0001 3956 symc8xx - ok
16:15:54.0017 3956 sym_hi - ok
16:15:54.0033 3956 sym_u3 - ok
16:15:54.0064 3956 sysaudio		(650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
16:15:54.0236 3956 sysaudio - ok
16:15:54.0314 3956 Tcpip		   (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:15:54.0408 3956 Tcpip - ok
16:15:54.0470 3956 TDPIPE		  (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:15:54.0611 3956 TDPIPE - ok
16:15:54.0689 3956 TDTCP		   (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
16:15:54.0829 3956 TDTCP - ok
16:15:54.0876 3956 TermDD		  (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:15:55.0033 3956 TermDD - ok
16:15:55.0064 3956 TosIde - ok
16:15:55.0126 3956 Udfs			(12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
16:15:55.0282 3956 Udfs - ok
16:15:55.0329 3956 ultra - ok
16:15:55.0392 3956 UnlockerDriver5 (d0cb75386d9e89c864d808d64ec9160f) C:\Program Files\Unlocker\UnlockerDriver5.sys
16:15:55.0407 3956 UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - warning
16:15:55.0407 3956 UnlockerDriver5 - detected UnsignedFile.Multi.Generic (1)
16:15:55.0454 3956 Update		  (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
16:15:55.0611 3956 Update - ok
16:15:55.0657 3956 usbccgp		 (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:15:55.0829 3956 usbccgp - ok
16:15:55.0892 3956 usbehci		 (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:15:56.0032 3956 usbehci - ok
16:15:56.0079 3956 usbhub		  (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:15:56.0220 3956 usbhub - ok
16:15:56.0282 3956 usbohci		 (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
16:15:56.0423 3956 usbohci - ok
16:15:56.0470 3956 usbprint		(a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:15:56.0610 3956 usbprint - ok
16:15:56.0673 3956 USBSTOR		 (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:15:56.0814 3956 USBSTOR - ok
16:15:56.0876 3956 VgaSave		 (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
16:15:57.0032 3956 VgaSave - ok
16:15:57.0048 3956 ViaIde - ok
16:15:57.0095 3956 VolSnap		 (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
16:15:57.0251 3956 VolSnap - ok
16:15:57.0282 3956 Wanarp		  (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:15:57.0438 3956 Wanarp - ok
16:15:57.0485 3956 WDICA - ok
16:15:57.0517 3956 wdmaud		  (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
16:15:58.0095 3956 wdmaud - ok
16:15:58.0188 3956 WpdUsb		  (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
16:15:58.0204 3956 WpdUsb - ok
16:15:58.0266 3956 WudfPf		  (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:15:58.0282 3956 WudfPf - ok
16:15:58.0298 3956 WudfRd		  (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:15:58.0313 3956 WudfRd - ok
16:15:58.0360 3956 MBR (0x1B8)	 (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:15:58.0563 3956 \Device\Harddisk0\DR0 - ok
16:15:58.0563 3956 MBR (0x1B8)	 (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR4
16:16:01.0125 3956 \Device\Harddisk1\DR4 - ok
16:16:01.0125 3956 Boot (0x1200)   (cd3483b593de3a712ae9226992a08259) \Device\Harddisk0\DR0\Partition0
16:16:01.0141 3956 \Device\Harddisk0\DR0\Partition0 - ok
16:16:01.0157 3956 Boot (0x1200)   (de26c6b86da76b06a1eae0adcc67ddb5) \Device\Harddisk0\DR0\Partition1
16:16:01.0172 3956 \Device\Harddisk0\DR0\Partition1 - ok
16:16:01.0188 3956 Boot (0x1200)   (2b86b5fbcf29f801df1ddd3f2265555b) \Device\Harddisk0\DR0\Partition2
16:16:01.0188 3956 \Device\Harddisk0\DR0\Partition2 - ok
16:16:01.0188 3956 Boot (0x1200)   (04eae75074ed662a5f490df4db3ca8a1) \Device\Harddisk1\DR4\Partition0
16:16:01.0188 3956 \Device\Harddisk1\DR4\Partition0 - ok
16:16:01.0204 3956 ============================================================
16:16:01.0204 3956 Scan finished
16:16:01.0204 3956 ============================================================
16:16:01.0313 3968 Detected object count: 3
16:16:01.0313 3968 Actual detected object count: 3
16:16:16.0811 3968 NPPTNT2 ( UnsignedFile.Multi.Generic ) - skipped by user
16:16:16.0811 3968 NPPTNT2 ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:16:16.0811 3968 sptd ( LockedFile.Multi.Generic ) - skipped by user
16:16:16.0811 3968 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
16:16:16.0811 3968 UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - skipped by user
16:16:16.0811 3968 UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:16:48.0276 0664 Deinitialize success

ComboFix го пуснах, дава ми 2 неща (не помня точно), едното от които ми казва, че трябва да рестартира компютъра заради него (някакъв kit). Рестартира се, появява се пак екрана, изписва се Stage 1,2,3 completed и забива. Оставих го 1 час и нищо не прави.

Компютъра успях да го оправя поне да зарежда и да не дава нон стоп вируси с System Restore, смяна на антивирусната (смених на avast) и full scan. В момента пиша от заразения компютър и вече не дава намерени вируси въобще.

Имали сте късмет, че сте имали чиста точка за възстановяване. Този рууткит се чисти доста трудно особено под XP и когато Combofix откаже да стартира.

Да проверим как е положението:

Изтеглете OTL.exe и го запазете на десктопа.

• Стартирайте OTL (ако е необходимо, потвърдете през UAC).
• Направете следните настройки:
• Сложете отметка пред Scan All Users
• Под менюто File Age изберете 90 days
• Под менюто Standard Registryпроменете на ALL
• Сложете отметки пред LOP и Purity Check

Под с Copy/ Paste въведете изцяло следната текстова информация (само това, което е поставено в карето):

netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\config\systemprofile\*.*
%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
%windir%\temp*.*
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_MSIL\*.* /S /MD5
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
/md5start
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
atapi.sys
iaStor.sys
serial.sys
disk.sys
volsnap.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
tcpip.sys
ipsec.sys
hlp.dat
/md5stop

• Натиснете маркираният в синьо бутон: Run Scan.
• Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt. Прикачете тези два файла в следващия си коментар (погледнете опцията Прикачени файлове, когато публикувате мнение).

Имали сте късмет, че сте имали чиста точка за възстановяване. Този рууткит се чисти доста трудно особено под XP и когато Combofix откаже да стартира.

Да проверим как е положението:

Изтеглете OTL.exe и го запазете на десктопа.

• Стартирайте OTL (ако е необходимо, потвърдете през UAC).
• Направете следните настройки:
• Сложете отметка пред Scan All Users
• Под менюто File Age изберете 90 days
• Под менюто Standard Registryпроменете на ALL
• Сложете отметки пред LOP и Purity Check

Под с Copy/ Paste въведете изцяло следната текстова информация (само това, което е поставено в карето):

netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\config\systemprofile\*.*
%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
%windir%\temp*.*
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_MSIL\*.* /S /MD5
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
/md5start
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
atapi.sys
iaStor.sys
serial.sys
disk.sys
volsnap.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
tcpip.sys
ipsec.sys
hlp.dat
/md5stop

• Натиснете маркираният в синьо бутон: Run Scan.
• Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt. Прикачете тези два файла в следващия си коментар (погледнете опцията Прикачени файлове, когато публикувате мнение).

Пробвах да старитрам OTL от desktop, но ми дава грешка (OTL has encountered a problem and needs to close. We are sorry for the inconvenience.).

ПП: Преди време когато имах проблем отново с компютъра и исках съвет във форума, програмата отново не ми тръгна със същата грешка.

Редактирано 10 март 201214 г. от KaWaii (преглед на промените)

Здравейте....поради служебни ангажименти B-boy[styLe] не може да продължи по вашия случай...затова аз ще ви окажа съдействие по нататък..! Въпрос - в момента можете ли да стартирате операционната си система нормално..?

Здравейте....поради служебни ангажименти B-boy[styLe] не може да продължи по вашия случай...затова аз ще ви окажа съдействие по нататък..!

Въпрос - в момента можете ли да стартирате операционната си система нормално..?

Да. Всичко тръгва без никакви проблеми.

Да разбирам.....!Благодаря..!

1.Изтеглете програмата AVZ 4.37 и разархивирайте avz4.zip например в папка (c:\antivir).

2.Стартирайте програмата и изпълнете:

File => Standard scripts => в отворилия се прозорец маркирайте позиция 7 => Execute selected scripts:

След завършване на сканирането компютъра ви ще се рестартира..!

Ще се създаде архив KL_syscure.zip в същата папка където е разархивирана програмата.

Моля, прикачете този архив във следващия си пост..!

Заповядай.

KL_syscure.zip

Изключете временно антивирусната си програма и защитната стена.

Изпълнете следния скрипт : Как да изпълним скрипт с AVZ

begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\Program Files\Cheat Engine\EmptyProcess.exe','');
 QuarantineFile('C:\Program Files\Bifrost\server.exe','');
 QuarantineFile('C:\Program Files\sXe Injected\ddsxei.sys','');
 QuarantineFile('C:\WINDOWS\system32\Drivers\PROCEXP113.SYS','');
BC_ImportQuarantineList;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(13);
RebootWindows(true);
end.

След изпълнение на скрипта компютъра ви ще се рестартира..!

След процедурата изпълнете следния скрипт Как да изпълним скрипт с AVZ

begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.

В резултат на изпълнението на втория скрипт ще се генерира карантина quarantine.zip.Изпратете получения файл quarantine.zip,който се намира в папката на АВЗ, на адрес: [email protected] и укажете линк към вашата тема (задължително) и на адрес [email protected]

Виждат се остатъци от Авира.Деинсталирайте ги с помоща на този инструмент:Avira RegistryCleaner

С две думи да пратя e-mail и на двете пощи с този файл и линка към темата?

Да,точно..!

Сега ще изчакаме анализа на файловете и ще продължим..!Между другото през това време:

Изтеглете Malwarebytes' Anti-Malware или от тук

* Кликнете два пъти върху mbam-setup.exe, за да инсталирате програмата.

* Уверете се, че са поставени отметки на Update Malwarebytes' Anti-Malware и Launch Malwarebytes' Anti-Malware. След това кликнете на Finish.

* Ако има намерени обновявания, тя ще ги изтегли и инсталира.

* Стартирайте програмата и изберете "Perform Full Scan", след това кликнете на Scan.

* Сканирането ще отнеме малко време, затова моля да бъдете търпеливи.

* Когато сканирането завърши, кликнете на OK, след това Show Results, за да видите резултата.

* Уверете се, че на всички редове има отметки, и кликнете на Remove Selected.

* Когато всичко бъде премахнато, в Notepad ще бъде отворен лог. Копирайте този лог и го публикувайте в следващия си коментар по темата.

Забележка: Ако MalwareBytes' Anti-Malware се затрудни в премахването на откритите вируси/заплахи, той ще поиска да рестартира компютъра Ви и по време на рестартирането да премахне проблемните вируси/заплахи. Ако бъдете попитани, потвърдете че желаете вашия компютър да бъде рестартиран.

Malwarebytes Anti-Malware (PRO) 1.60.1.1000 www.malwarebytes.org Версия на базата от данни: v2012.03.11.08 Windows XP Service Pack 2 x86 NTFS Internet Explorer 8.0.6001.18702 home :: HOME-AC5CE86EB3 [администратор] Защита: изключена 11.3.2012 г. 18:55:12 mbam-log-2012-03-11 (18-55-12).txt Тип сканиране: Пълно сканиране Включени опции за сканиране: Памет | Автоматично зареждане | Системен регистър | Файлова система | Евристики/Допълнителни | Евристики/Shuriken | PUP | PUM Изключени опции за сканиране: P2P Сканирани обекти: 533256 Изминало време: 2 час(а), 52 минута(и), 46 секунда(и) Открити процеси в паметта: 0 (Не бяха открити зловредни обекти) Открити модули в паметта: 0 (Не бяха открити зловредни обекти) Открити ключове в системния регистър: 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EuroDictXP (Trojan.Downloader.bh) -> Поставен под карантина и изтрит успешно. Открити стойности в системния регистър: 0 (Не бяха открити зловредни обекти) Открити информационни обекти в системния регистър: 0 (Не бяха открити зловредни обекти) Открити папки: 0 (Не бяха открити зловредни обекти) Открити файлове: 24 C:\Documents and Settings\home\Desktop\Meine nicht deine\FableTrn.exe (PUP.HackTool.HotKeysHook) -> Не беше предприето действие. C:\Program Files\Sony Vegas Movie Studio Platinum Edition Pro v9.a Build 85\patch.exe (PUP.Hacktool.Patcher) -> Не беше предприето действие. C:\Documents and Settings\home\Local Settings\Application Data\9f790a05\X (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\Documents and Settings\home\Local Settings\Application Data\9f790a05\U\000000cf.@ (Trojan.Agent) -> Поставен под карантина и изтрит успешно. C:\Documents and Settings\home\Local Settings\Temp\5689.sys (Trojan.Service) -> Поставен под карантина и изтрит успешно. C:\Documents and Settings\home\Local Settings\Temp\18.tmp (Spyware.Sniffer) -> Поставен под карантина и изтрит успешно. C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\RBSYVULQ\4[1].exe (Spyware.Sniffer) -> Поставен под карантина и изтрит успешно. c:\documents and settings\home\local settings\temporary internet files\content.ie5\theidb66\5[1].exe (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\Program Files\KoralSoft\EuroDictXP\UnInstall.exe (Trojan.Downloader.bh) -> Поставен под карантина и изтрит успешно. C:\Program Files\WinRAR 3.93 Final\Keygen\Keygen.exe (RiskWare.Tool.CK) -> Поставен под карантина и изтрит успешно. C:\Program Files\TuneUp Utilities 2009\Keygen.exe (Trojan.Agent.CK) -> Поставен под карантина и изтрит успешно. C:\RECYCLER\S-1-5-21-1390067357-1303643608-682003330-1003\Dc79.exe (Affiliate.Downloader) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332789.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332781.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332782.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332783.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332784.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332785.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332786.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332787.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332788.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\System Volume Information\_restore{7C8269DC-55F6-40FC-88B7-AF94027C9864}\RP1253\A0332790.dll (Rootkit.0Access) -> Поставен под карантина и изтрит успешно. C:\Documents and Settings\home\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Поставен под карантина и изтрит успешно. C:\WINDOWS\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Поставен под карантина и изтрит успешно. (край)

Редактирано 11 март 201214 г. от KaWaii (преглед на промените)

Изтрийте вашето копие на Комбофикс (като изтриете иконата от вашия десктоп)...изтеглете ново свежо копие от тук или тук и го запазете на десктопа си.

• Изключете вашата антивирусна и антишпионска програма, обикновено това става чрез натискане на десния бутон на мишката върху иконата на програма в системния трей.

Бележка: Ако не можете я спрете или не сте сигурни коя програма да изключите, моля прегледайте информацията от този линк: How to Disable your Security Programs

• Стартирайте Combo-Fix.com и следвайте инструкциите.

Бележка: ComboFix ще се стартира без инсталирана Recovery Console.

• Като част от неговата работа, ComboFix ще провери дали Microsoft Windows Recovery Console е инсталирана. Предвид бързо развиващия се зловреден софтуер е силно препоръчително да бъде инсталирана преди премахването на зловредния софтуер. Това ще Ви позволи да влезете в специален recovery/repair режим, който ще ни позволи по-лесно да решите проблем, който би могъл да възникне при премахване на зловредния софтуер.

• Следвайте инструкциите, за да позволите на ComboFix да изтегли и инсталира Microsoft Windows Recovery Console. В един момент ще бъдете попитани дали сте съгласни с лицензното споразумение. Необходимо е да потвърдите, че сте съгласни, за да инсталирате Microsoft Windows Recovery Console.

** Забележете: Ако Microsoft Windows Recovery Console е вече инсталирана, ComboFix ще продължи към процеса по премахване на зловредния софтуер.

След като Microsoft Windows Recovery Console е инсталирана, използвайки ComboFix, Вие ще видите следното съобщение:

Изберете Yes, за да продължи сканирането за зловреден софтуер.

Когато процесът приключи успешно, инструментът ще създаде лог файл. Моля, включете съдържанието на C:\ComboFix.txt в следващия Ви коментар в тази тема.

Бележка:

• Моля, не движете мишката, докато ComboFix работи. Това може да наруши процеса на работа.
• ComboFix ще нулира всички настройки на Microsoft Internet Explorer, включително да направи IE браузър по подразбиране.
• ComboFix ще изключи autorun функцията на ВСИЧКИ CD, Floppy и USB устройства, за да помогне при премахването на зловредния софтуер и Ви защити от бъдещи вируси/заплахи, които поразяват чрез autorun. Ако това е проблем за вас - моля, уведомете ме.
• ComboFix ще изключи вашата интернет връзка. Интернет връзката ще се възстанови автоматично, преди ComboFix да завърши процеса на работа. При проблем, той ще прекрати интернет връзката. За да възстановите интернет връзката си, рестартирайте компютъра си.
• В случай на проблем с ComboFix, той може да създаде лог файл. Моля, включете съдържанието на C:\BUG.txt в следващия Ви коментар в тази тема.

Моля, не прикачвайте лог файла/овете от програмата, а го/ги копирайте и поставете в следващия Ви коментар в тази тема.

ComboFix 12-03-12.03 - home 03.2012 г. 17:46:16.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.1983.1494 [GMT 2:00] Running from: c:\documents and settings\home\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\home\Application Data\Dealio c:\documents and settings\home\Application Data\Dealio\res\widgets.xml c:\documents and settings\home\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml c:\documents and settings\home\Application Data\PriceGong c:\documents and settings\home\Application Data\PriceGong\Data\1.xml c:\documents and settings\home\Application Data\PriceGong\Data\a.xml c:\documents and settings\home\Application Data\PriceGong\Data\b.xml c:\documents and settings\home\Application Data\PriceGong\Data\c.xml c:\documents and settings\home\Application Data\PriceGong\Data\d.xml c:\documents and settings\home\Application Data\PriceGong\Data\e.xml c:\documents and settings\home\Application Data\PriceGong\Data\f.xml c:\documents and settings\home\Application Data\PriceGong\Data\g.xml c:\documents and settings\home\Application Data\PriceGong\Data\h.xml c:\documents and settings\home\Application Data\PriceGong\Data\i.xml c:\documents and settings\home\Application Data\PriceGong\Data\J.xml c:\documents and settings\home\Application Data\PriceGong\Data\k.xml c:\documents and settings\home\Application Data\PriceGong\Data\l.xml c:\documents and settings\home\Application Data\PriceGong\Data\m.xml c:\documents and settings\home\Application Data\PriceGong\Data\mru.xml c:\documents and settings\home\Application Data\PriceGong\Data\n.xml c:\documents and settings\home\Application Data\PriceGong\Data\o.xml c:\documents and settings\home\Application Data\PriceGong\Data\p.xml c:\documents and settings\home\Application Data\PriceGong\Data\q.xml c:\documents and settings\home\Application Data\PriceGong\Data\r.xml c:\documents and settings\home\Application Data\PriceGong\Data\s.xml c:\documents and settings\home\Application Data\PriceGong\Data\t.xml c:\documents and settings\home\Application Data\PriceGong\Data\u.xml c:\documents and settings\home\Application Data\PriceGong\Data\v.xml c:\documents and settings\home\Application Data\PriceGong\Data\w.xml c:\documents and settings\home\Application Data\PriceGong\Data\x.xml c:\documents and settings\home\Application Data\PriceGong\Data\y.xml c:\documents and settings\home\Application Data\PriceGong\Data\z.xml c:\documents and settings\home\Application Data\Toolbar4 c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\affid.dat c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\basis.xml c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\icons.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\info.txt c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\mbback.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\mbbigopen.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\mbclose.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\mbfwd.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\mbsep.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\nav1c.bmp c:\documents and settings\home\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\version.txt c:\documents and settings\home\Local Settings\Tempcheck.exe c:\documents and settings\home\System c:\documents and settings\home\System\win_qs8.jqx c:\documents and settings\home\WINDOWS c:\program files\DTLite4355-0068.exe c:\program files\filesubmit c:\program files\filesubmit\Black\Black.msstyles c:\program files\filesubmit\Black\shell\normalcolor\shellstyle.dll c:\program files\filesubmit\DameK_UltraBlue_1.9.exe c:\program files\Program Files c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\construction-button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\countryroad_button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\lentils-button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\money_button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\rice-button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\traffic_button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\watch_button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Buttons\wheat_button.jpg c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Construction.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Country Road.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Lentils.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Money.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Rice.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Traffic.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Watch.pot c:\program files\Program Files\Microsoft Office\Templates\SC-Templates\Wheat.pot c:\program files\Search Settings c:\program files\Search Settings\SearchSettingsRes409.dll c:\program files\winamp5601_full_emusic-7plus_en-us.exe c:\program files\Your Product\Uninstall c:\program files\Your Product\Uninstall\IRIMG1.JPG c:\program files\Your Product\Uninstall\IRIMG2.JPG c:\program files\Your Product\Uninstall\uninstall.dat c:\program files\Your Product\Uninstall\uninstall.xml c:\windows\system32\embedded c:\windows\system32\embedded\License.txt c:\windows\system32\embedded\regsvr.exe c:\windows\system32\embedded\Thumbs.db c:\windows\system32\embedded\uninstall.exe c:\windows\system32\embedded\WizardImage.bmp c:\windows\system32\embedded\WizardSmallImage.bmp c:\windows\system32\NEW27.tmp c:\windows\system32\NEW2D.tmp c:\windows\system32\NEW2E.tmp c:\windows\system32\WanPacket.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_NPF -------\Legacy_ddsxeiservice -------\Service_ddsxeiservice . . ((((((((((((((((((((((((( Files Created from 2012-02-12 to 2012-03-12 ))))))))))))))))))))))))))))))) . . 2012-03-10 19:55 . 2012-03-10 19:56 -------- d-----w- C:\antivir 2012-03-10 14:09 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-03-10 14:09 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-03-10 14:09 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2012-03-10 14:09 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-03-10 14:09 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-03-10 14:09 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2012-03-10 14:09 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys 2012-03-10 14:09 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2012-03-10 14:08 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr 2012-03-10 14:08 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe 2012-03-10 14:01 . 2012-03-10 14:01 -------- d-----w- c:\windows\system32\wbem\Repository 2012-03-10 11:58 . 2012-03-10 14:08 -------- d-----w- c:\program files\AVAST Software 2012-03-10 11:58 . 2012-03-10 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\documents and settings\home\Application Data\DriverCure 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\program files\SpeedyPC Software 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\program files\Common Files\SpeedyPC Software 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC Software 2012-03-10 10:33 . 2012-03-10 10:33 -------- d-----w- c:\documents and settings\LocalService\IETldCache 2012-03-10 10:25 . 2012-03-10 13:58 -------- d-sh--w- c:\documents and settings\home\Local Settings\Application Data\9f790a05 2012-02-29 19:50 . 2012-02-29 19:50 -------- d-----w- c:\program files\LogMeIn Hamachi 2012-02-23 16:49 . 2012-02-25 16:32 -------- d-----w- c:\documents and settings\home\riotsGamesLogs 2012-02-23 16:49 . 2012-02-23 16:49 -------- d-----w- c:\documents and settings\home\Application Data\LolClient 2012-02-23 00:40 . 2012-02-23 00:40 -------- d-----w- c:\program files\Common Files\Skype . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-11 16:54 . 2010-08-20 17:32 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-28 21:11 . 2012-01-28 21:11 629288 ----a-w- C:\WindowsXP-KB932823-v3-x86-ENU.exe 2012-01-28 20:59 . 2012-01-28 20:59 16883056 ----a-w- C:\Internet_Explorer_8_0.exe 2011-05-06 09:42 . 2011-05-06 09:42 14310930 ----a-w- c:\program files\any-video-converter-free.exe 2011-01-28 17:48 . 2011-01-28 17:48 359940 ----a-w- c:\program files\shoutcast-dsp-2-1-3-windows.exe 2011-01-28 17:46 . 2011-01-28 17:46 1948225 ----a-w- c:\program files\shoutcast-dnas-1-9-8-windows.exe 2011-01-19 22:10 . 2011-01-19 22:05 94112150 ----a-w- c:\program files\AC Web Ultimate Repack.exe 2011-01-19 22:01 . 2011-01-19 22:00 31323871 ----a-w- c:\program files\xampp-win32-1.5.2-installer.exe 2011-01-04 19:43 . 2011-01-04 19:22 232501 ----a-w- c:\program files\Minecraft.exe 2011-01-04 19:24 . 2011-01-04 19:24 232501 ----a-w- c:\program files\Minecraft(2).exe 2011-01-03 20:45 . 2011-01-03 20:45 3514656 ----a-w- c:\program files\TeamViewer_Setup.exe 2010-12-31 13:52 . 2010-12-31 13:52 401728 ----a-w- c:\program files\setup.exe 2010-12-30 21:33 . 2010-12-30 21:33 568648 ----a-w- c:\program files\GoogleEarthSetup.exe 2010-12-11 18:44 . 2010-12-11 18:44 2790864 ----a-w- c:\program files\install_flash_player.exe 2010-12-10 14:03 . 2010-12-10 14:03 22971688 ----a-w- c:\program files\Skype 4.2.0.169.exe 2010-12-09 18:03 . 2010-12-09 18:02 8027408 ----a-w- c:\program files\boost-speed-setup.exe 2012-02-19 07:53 . 2011-05-01 07:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\prxtbSof0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930f1200-f5f1-4870-bac6-e233ec8e7023}] 2011-05-09 09:49 176936 ----a-w- c:\program files\Softonic_English\prxtbSof0.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-22 284040] "{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\prxtbSof0.dll" [2011-05-09 176936] "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192] . [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] . [HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}] . [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{930F1200-F5F1-4870-BAC6-E233EC8E7023}"= "c:\program files\Softonic_English\prxtbSof0.dll" [2011-05-09 176936] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-22 284040] . [HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}] . [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672] "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-28 3077528] "Akamai NetSession Interface"="c:\documents and settings\home\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "RTHDCPL"="RTHDCPL.EXE" [2009-12-08 18789920] "Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2010-10-15 380416] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200] "NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-30 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^ _-=TIgI-sCripT=-_.lnk] path=c:\documents and settings\home\Start Menu\Programs\Startup\ _-=TIgI-sCripT=-_.lnk backup=c:\windows\pss\ _-=TIgI-sCripT=-_.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^.lnk] path=c:\documents and settings\home\Start Menu\Programs\Startup\.lnk backup=c:\windows\pss\.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\home\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk] path=c:\documents and settings\home\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-26 21:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MorEmoticons] 2007-11-12 02:35 64000 ----a-w- c:\program files\MorEmoticons\Moremoticons.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Games\\war\\Warcraft III\\Warcraft III.exe"= "d:\\Games\\war\\Warcraft III\\War3.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Garena\\Garena.exe"= "c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"= "e:\\Games2\\CS\\hl.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "e:\\Games2\\CS\\hlds.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\wow server\\xampp\\apache\\bin\\apache.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "e:\\Games2\\AOE2\\AOE2\\empires2.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\home\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23183:TCP"= 23183:TCP:BitComet 23183 TCP "23183:UDP"= 23183:UDP:BitComet 23183 UDP "6612:TCP"= 6612:TCP:Blizard Downloader "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "13189:TCP"= 13189:TCP:BitComet 13189 TCP "13189:UDP"= 13189:UDP:BitComet 13189 UDP "443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443 "443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675 "2706:TCP"= 2706:TCP:Inhatch P2P Streaming "2707:TCP"= 2707:TCP:Inhatch P2P Streaming "2708:TCP"= 2708:TCP:Inhatch P2P Streaming "2709:TCP"= 2709:TCP:Inhatch P2P Streaming "58389:TCP"= 58389:TCP:Pando Media Booster "58389:UDP"= 58389:UDP:Pando Media Booster "1113:TCP"= 1113:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13.9.2007 г. 22:02 691696] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10.3.2012 г. 16:09 612184] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10.3.2012 г. 16:09 337880] R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04.8.2004 г. 00:56 14336] R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [16.12.2009 г. 17:38 375296] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.3.2012 г. 16:09 20696] R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [28.2.2012 г. 17:38 1373576] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20.8.2010 г. 19:32 652360] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [08.10.2011 г. 07:48 2255464] R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [10.8.2011 г. 13:13 4096] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20.8.2010 г. 19:32 20464] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 г. 12:16 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05.8.2009 г. 20:21 133104] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [15.2.2012 г. 13:30 158856] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [26.11.2010 г. 00:54 1691480] S3 cpuz130;cpuz130;\??\c:\docume~1\home\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\home\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?] S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?] S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [04.12.2010 г. 15:25 130976] S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\home\LOCALS~1\Temp\HQO85.tmp --> c:\docume~1\home\LOCALS~1\Temp\HQO85.tmp [?] S3 GGSAFERDriver;GGSAFER Driver;\??\d:\games\Garena\safedrv.sys --> d:\games\Garena\safedrv.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [05.8.2009 г. 20:21 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [20.8.2010 г. 19:32 40776] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 г. 12:16 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai . Contents of the 'Scheduled Tasks' folder . 2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:20] . 2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:20] . 2012-03-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-1303643608-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 19:09] . 2012-03-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-1303643608-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 19:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uInternet Settings,ProxyServer = 213.185.116.218:3128 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &С&валяне &с BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &С&валяне на всички с BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: &С&валяне на всичкото видео с BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} Trusted Zone: ubb.bg\ebb TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{DCBC3E0E-D6A9-4EAE-B79E-C26871E46E0B}: NameServer = 212.39.90.42,212.39.90.43 FF - ProfilePath - c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ieu1njgb.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/picpick/{E56BB3A3-CA04-4D5B-992E-7732EF0E806D}?q= FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe HKLM_ActiveSetup-{D04F05BA-8BB4-1BB3-DAA2-04289D991083} - c:\program files\Bifrost\server.exe . . . ************************************************************************** scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] "ImagePath"="\??\c:\docume~1\home\LOCALS~1\Temp\HQO85.tmp" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1084) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2580) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVAST Software\Avast\AvastSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\wow server\xampp\mysql\bin\mysqld.exe c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\PnkBstrA.exe c:\program files\ATI Technologies\ATI.ACE\CLI.EXE c:\windows\RTHDCPL.EXE c:\windows\system32\RunDLL32.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\cli.exe . ************************************************************************** . Completion time: 2012-03-12 18:04:48 - machine was rebooted ComboFix-quarantined-files.txt 2012-03-12 16:04 . Pre-Run: 38 080 024 576 bytes free Post-Run: 38 694 985 728 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn . - - End Of File - - A9D76CF8394F532C8BF9599E2E53D6F0

Копирайте текста в карето на notepad и го запазвате с име CFScript.txt на десктопа си:

KILLALL::

ClearJavaCache::

File::
c:\program files\Softonic_English\prxtbSof0.dll
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\ConduitEngine\ConduitEngine.dll

Folder::
C:\antivir

DirLook::
c:\documents and settings\home\Local Settings\Application Data\9f790a05

Registry::
[-HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
"{930f1200-f5f1-4870-bac6-e233ec8e7023}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[-HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{930F1200-F5F1-4870-BAC6-E233EC8E7023}"=-
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[-HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

След съхранението преместете CFScript.txt на иконата на ComboFix.exe

Генерирания рапорт прикачете в следващия си пост..!

Извинявам се за късния пост, но напоследък нямах време да седя на компютъра. ComboFix 12-03-12.03 - home 03.2012 г. 19:12:35.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.1983.1494 [GMT 2:00] Running from: c:\documents and settings\home\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\home\Desktop\CFScript.txt AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . FILE :: "c:\program files\AskBarDis\bar\bin\askBar.dll" "c:\program files\ConduitEngine\ConduitEngine.dll" "c:\program files\Softonic_English\prxtbSof0.dll" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\antivir c:\antivir\avz4\avz.exe c:\antivir\avz4\avz.url c:\antivir\avz4\avz_en.chm c:\antivir\avz4\avz_ru.chm c:\antivir\avz4\Base\backup.avz c:\antivir\avz4\Base\bt.avz c:\antivir\avz4\Base\exc.avz c:\antivir\avz4\Base\extract.avz c:\antivir\avz4\Base\keylogger.avz c:\antivir\avz4\Base\krnldrv.avz c:\antivir\avz4\Base\lang_en.avz c:\antivir\avz4\Base\lang_ru.avz c:\antivir\avz4\Base\main.avz c:\antivir\avz4\Base\main001.avz c:\antivir\avz4\Base\main002.avz c:\antivir\avz4\Base\main003.avz c:\antivir\avz4\Base\main004.avz c:\antivir\avz4\Base\main005.avz c:\antivir\avz4\Base\main006.avz c:\antivir\avz4\Base\main007.avz c:\antivir\avz4\Base\main008.avz c:\antivir\avz4\Base\main009.avz c:\antivir\avz4\Base\main010.avz c:\antivir\avz4\Base\main011.avz c:\antivir\avz4\Base\main012.avz c:\antivir\avz4\Base\main013.avz c:\antivir\avz4\Base\main014.avz c:\antivir\avz4\Base\main015.avz c:\antivir\avz4\Base\main016.avz c:\antivir\avz4\Base\main017.avz c:\antivir\avz4\Base\main018.avz c:\antivir\avz4\Base\main019.avz c:\antivir\avz4\Base\main020.avz c:\antivir\avz4\Base\main021.avz c:\antivir\avz4\Base\main022.avz c:\antivir\avz4\Base\main023.avz c:\antivir\avz4\Base\main024.avz c:\antivir\avz4\Base\main025.avz c:\antivir\avz4\Base\main026.avz c:\antivir\avz4\Base\main027.avz c:\antivir\avz4\Base\main028.avz c:\antivir\avz4\Base\main029.avz c:\antivir\avz4\Base\neural.avz c:\antivir\avz4\Base\neurald.avz c:\antivir\avz4\Base\neurale.avz c:\antivir\avz4\Base\neuralm.avz c:\antivir\avz4\Base\ports.avz c:\antivir\avz4\Base\prt.avz c:\antivir\avz4\Base\repair.avz c:\antivir\avz4\Base\rootkit.avz c:\antivir\avz4\Base\scripts.avz c:\antivir\avz4\Base\scu.avz c:\antivir\avz4\Base\signf001.avz c:\antivir\avz4\Base\signf002.avz c:\antivir\avz4\Base\signf003.avz c:\antivir\avz4\Base\signf004.avz c:\antivir\avz4\Base\signf005.avz c:\antivir\avz4\Base\signf006.avz c:\antivir\avz4\Base\signfusr.avz c:\antivir\avz4\Base\syscheck.avz c:\antivir\avz4\Base\sysipu.avz c:\antivir\avz4\Base\tsw-auto.avz c:\antivir\avz4\Base\tsw.avz c:\antivir\avz4\LOG\KL_syscure.htm c:\antivir\avz4\LOG\KL_syscure.xml c:\antivir\avz4\LOG\KL_syscure.zip c:\antivir\avz4\quarantine.zip c:\antivir\avz4\version.txt c:\documents and settings\home\Application Data\PriceGong c:\documents and settings\home\Application Data\PriceGong\Data\1.xml c:\documents and settings\home\Application Data\PriceGong\Data\a.xml c:\documents and settings\home\Application Data\PriceGong\Data\b.xml c:\documents and settings\home\Application Data\PriceGong\Data\c.xml c:\documents and settings\home\Application Data\PriceGong\Data\d.xml c:\documents and settings\home\Application Data\PriceGong\Data\e.xml c:\documents and settings\home\Application Data\PriceGong\Data\f.xml c:\documents and settings\home\Application Data\PriceGong\Data\g.xml c:\documents and settings\home\Application Data\PriceGong\Data\h.xml c:\documents and settings\home\Application Data\PriceGong\Data\i.xml c:\documents and settings\home\Application Data\PriceGong\Data\J.xml c:\documents and settings\home\Application Data\PriceGong\Data\k.xml c:\documents and settings\home\Application Data\PriceGong\Data\l.xml c:\documents and settings\home\Application Data\PriceGong\Data\m.xml c:\documents and settings\home\Application Data\PriceGong\Data\n.xml c:\documents and settings\home\Application Data\PriceGong\Data\o.xml c:\documents and settings\home\Application Data\PriceGong\Data\p.xml c:\documents and settings\home\Application Data\PriceGong\Data\q.xml c:\documents and settings\home\Application Data\PriceGong\Data\r.xml c:\documents and settings\home\Application Data\PriceGong\Data\s.xml c:\documents and settings\home\Application Data\PriceGong\Data\t.xml c:\documents and settings\home\Application Data\PriceGong\Data\u.xml c:\documents and settings\home\Application Data\PriceGong\Data\v.xml c:\documents and settings\home\Application Data\PriceGong\Data\w.xml c:\documents and settings\home\Application Data\PriceGong\Data\x.xml c:\documents and settings\home\Application Data\PriceGong\Data\y.xml c:\documents and settings\home\Application Data\PriceGong\Data\z.xml . . ((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 ))))))))))))))))))))))))))))))) . . 2012-03-10 14:09 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-03-10 14:09 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-03-10 14:09 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2012-03-10 14:09 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-03-10 14:09 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-03-10 14:09 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2012-03-10 14:09 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys 2012-03-10 14:09 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2012-03-10 14:08 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr 2012-03-10 14:08 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe 2012-03-10 14:01 . 2012-03-10 14:01 -------- d-----w- c:\windows\system32\wbem\Repository 2012-03-10 11:58 . 2012-03-10 14:08 -------- d-----w- c:\program files\AVAST Software 2012-03-10 11:58 . 2012-03-10 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\documents and settings\home\Application Data\DriverCure 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\program files\SpeedyPC Software 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\program files\Common Files\SpeedyPC Software 2012-03-10 11:21 . 2012-03-10 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC Software 2012-03-10 10:33 . 2012-03-10 10:33 -------- d-----w- c:\documents and settings\LocalService\IETldCache 2012-03-10 10:25 . 2012-03-10 13:58 -------- d-sh--w- c:\documents and settings\home\Local Settings\Application Data\9f790a05 2012-02-23 16:49 . 2012-02-25 16:32 -------- d-----w- c:\documents and settings\home\riotsGamesLogs 2012-02-23 16:49 . 2012-02-23 16:49 -------- d-----w- c:\documents and settings\home\Application Data\LolClient 2012-02-23 00:40 . 2012-02-23 00:40 -------- d-----w- c:\program files\Common Files\Skype . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-11 16:54 . 2010-08-20 17:32 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-28 21:11 . 2012-01-28 21:11 629288 ----a-w- C:\WindowsXP-KB932823-v3-x86-ENU.exe 2012-01-28 20:59 . 2012-01-28 20:59 16883056 ----a-w- C:\Internet_Explorer_8_0.exe 2011-05-06 09:42 . 2011-05-06 09:42 14310930 ----a-w- c:\program files\any-video-converter-free.exe 2011-01-28 17:48 . 2011-01-28 17:48 359940 ----a-w- c:\program files\shoutcast-dsp-2-1-3-windows.exe 2011-01-28 17:46 . 2011-01-28 17:46 1948225 ----a-w- c:\program files\shoutcast-dnas-1-9-8-windows.exe 2011-01-19 22:10 . 2011-01-19 22:05 94112150 ----a-w- c:\program files\AC Web Ultimate Repack.exe 2011-01-19 22:01 . 2011-01-19 22:00 31323871 ----a-w- c:\program files\xampp-win32-1.5.2-installer.exe 2011-01-04 19:43 . 2011-01-04 19:22 232501 ----a-w- c:\program files\Minecraft.exe 2011-01-04 19:24 . 2011-01-04 19:24 232501 ----a-w- c:\program files\Minecraft(2).exe 2011-01-03 20:45 . 2011-01-03 20:45 3514656 ----a-w- c:\program files\TeamViewer_Setup.exe 2010-12-31 13:52 . 2010-12-31 13:52 401728 ----a-w- c:\program files\setup.exe 2010-12-30 21:33 . 2010-12-30 21:33 568648 ----a-w- c:\program files\GoogleEarthSetup.exe 2010-12-11 18:44 . 2010-12-11 18:44 2790864 ----a-w- c:\program files\install_flash_player.exe 2010-12-10 14:03 . 2010-12-10 14:03 22971688 ----a-w- c:\program files\Skype 4.2.0.169.exe 2010-12-09 18:03 . 2010-12-09 18:02 8027408 ----a-w- c:\program files\boost-speed-setup.exe 2012-02-19 07:53 . 2011-05-01 07:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\home\Local Settings\Application Data\9f790a05 ---- . 2012-03-10 10:25 . 2012-03-10 10:25 2048 --sha-w- c:\documents and settings\home\Local Settings\Application Data\9f790a05\@ . . ((((((((((((((((((((((((((((( SnapShot@2012-03-12_16.01.07 ))))))))))))))))))))))))))))))))))))))))) . + 2012-03-15 17:24 . 2012-03-15 17:24 16384 c:\windows\Temp\Perflib_Perfdata_6a8.dat + 2012-03-15 17:24 . 2012-03-15 17:24 16384 c:\windows\Temp\Perflib_Perfdata_640.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672] "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-28 3077528] "Akamai NetSession Interface"="c:\documents and settings\home\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "RTHDCPL"="RTHDCPL.EXE" [2009-12-08 18789920] "Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2010-10-15 380416] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200] "NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-30 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^ _-=TIgI-sCripT=-_.lnk] path=c:\documents and settings\home\Start Menu\Programs\Startup\ _-=TIgI-sCripT=-_.lnk backup=c:\windows\pss\ _-=TIgI-sCripT=-_.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^.lnk] path=c:\documents and settings\home\Start Menu\Programs\Startup\.lnk backup=c:\windows\pss\.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\home\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk] path=c:\documents and settings\home\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-26 21:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MorEmoticons] 2007-11-12 02:35 64000 ----a-w- c:\program files\MorEmoticons\Moremoticons.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Games\\war\\Warcraft III\\Warcraft III.exe"= "d:\\Games\\war\\Warcraft III\\War3.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Garena\\Garena.exe"= "c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"= "e:\\Games2\\CS\\hl.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "e:\\Games2\\CS\\hlds.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\wow server\\xampp\\apache\\bin\\apache.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "e:\\Games2\\AOE2\\AOE2\\empires2.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\home\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23183:TCP"= 23183:TCP:BitComet 23183 TCP "23183:UDP"= 23183:UDP:BitComet 23183 UDP "6612:TCP"= 6612:TCP:Blizard Downloader "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "13189:TCP"= 13189:TCP:BitComet 13189 TCP "13189:UDP"= 13189:UDP:BitComet 13189 UDP "443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443 "443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675 "2706:TCP"= 2706:TCP:Inhatch P2P Streaming "2707:TCP"= 2707:TCP:Inhatch P2P Streaming "2708:TCP"= 2708:TCP:Inhatch P2P Streaming "2709:TCP"= 2709:TCP:Inhatch P2P Streaming "58389:TCP"= 58389:TCP:Pando Media Booster "58389:UDP"= 58389:UDP:Pando Media Booster "1089:TCP"= 1089:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13.9.2007 г. 22:02 691696] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10.3.2012 г. 16:09 612184] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10.3.2012 г. 16:09 337880] R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04.8.2004 г. 00:56 14336] R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [16.12.2009 г. 17:38 375296] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.3.2012 г. 16:09 20696] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20.8.2010 г. 19:32 652360] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [08.10.2011 г. 07:48 2255464] R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [10.8.2011 г. 13:13 4096] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20.8.2010 г. 19:32 20464] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 г. 12:16 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05.8.2009 г. 20:21 133104] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [15.2.2012 г. 13:30 158856] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [26.11.2010 г. 00:54 1691480] S3 cpuz130;cpuz130;\??\c:\docume~1\home\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\home\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?] S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?] S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [04.12.2010 г. 15:25 130976] S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\home\LOCALS~1\Temp\HQO85.tmp --> c:\docume~1\home\LOCALS~1\Temp\HQO85.tmp [?] S3 GGSAFERDriver;GGSAFER Driver;\??\d:\games\Garena\safedrv.sys --> d:\games\Garena\safedrv.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [05.8.2009 г. 20:21 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [20.8.2010 г. 19:32 40776] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 г. 12:16 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai . Contents of the 'Scheduled Tasks' folder . 2012-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:20] . 2012-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:20] . 2012-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-1303643608-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 19:09] . 2012-03-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-1303643608-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 19:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uInternet Settings,ProxyServer = 213.185.116.218:3128 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &С&валяне &с BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &С&валяне на всички с BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: &С&валяне на всичкото видео с BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} Trusted Zone: ubb.bg\ebb TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{DCBC3E0E-D6A9-4EAE-B79E-C26871E46E0B}: NameServer = 212.39.90.42,212.39.90.43 FF - ProfilePath - c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ieu1njgb.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/picpick/{E56BB3A3-CA04-4D5B-992E-7732EF0E806D}?q= FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{930f1200-f5f1-4870-bac6-e233ec8e7023} - (no file) BHO-{930f1200-f5f1-4870-bac6-e233ec8e7023} - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-15 19:25 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . C:\avast! sandbox . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai] "ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] "ImagePath"="\??\c:\docume~1\home\LOCALS~1\Temp\HQO85.tmp" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1036) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2592) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVAST Software\Avast\AvastSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\wow server\xampp\mysql\bin\mysqld.exe c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\PnkBstrA.exe c:\program files\ATI Technologies\ATI.ACE\CLI.EXE c:\windows\RTHDCPL.EXE c:\windows\system32\RunDLL32.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\cli.exe . ************************************************************************** . Completion time: 2012-03-15 19:30:00 - machine was rebooted ComboFix-quarantined-files.txt 2012-03-15 17:29 ComboFix2.txt 2012-03-12 16:04 . Pre-Run: 38 590 517 248 bytes free Post-Run: 38 668 283 904 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn . - - End Of File - - B42FD086CAADBBA46C662CA11892C336

Как е системата ви сега..?Наблюдавате ли някъкви проблеми..?

Не, всичко върви нормално Вчера само един път изведнъж много се забави (като цяло интернета и системата), но след рестартиране се оправи, така че предполагам, че може да е било просто нещо временно. Благодаря много!

Редактирано 15 март 201214 г. от KaWaii (преглед на промените)

Копирайте текста в карето на notepad и го запазвате с име CFScript.txt на десктопа си:

KILLALL::

Folder::
c:\documents and settings\home\Local Settings\Application Data\9f790a05

След съхранението преместете CFScript.txt на иконата на ComboFix.exe

Генерирания рапорт прикачете в следващия си пост..!

В момента се сканира и пиша от другия компютър. Нормално ли е пак да ми показва съобщения за ZeroAccess и rootkit (и отново рестартира компютъра - винаги го прави като пускам ComboFix)?