popopa

Надявам се всичко е наред, аз не забелязвам нищо нередно, но и неразбирам почти нищо от всичките логове които побликувах тук, за това и не съм сигурен дали всичко е наред!? Благодаря помоща ви е безценна и пожелавам много успехи на екипа!

Инсталирах демо версията на НОД, преди това деинсталирах QIP(където имаше зараза), както и изтрих целия рестор. След сканиране с НОД-а няма нищо, сканирах и с Malwarebytes, също нищо.

exeHelper by Raktor Build 20091121 Run at 12:08:02 on 11/21/09 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=258f686a19d0c8459aaee4dd6a48093b # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-11-21 10:53:19 # local_time=2009-11-21 12:53:19 (+0200, FLE Standard Time) # country="Bulgaria" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 3781 3781 0 0 # scanned=45864 # found=3 # cleaned=3 # scan_time=2475 C:\Program Files\QIP\qip.exe a variant of Win32/Induc.A virus (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{182A7B9C-CF01-4CB9-A546-A71953D15847}\RP26\A0007971.reg Win32/HackAV.G application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{182A7B9C-CF01-4CB9-A546-A71953D15847}\RP26\A0008225.exe a variant of Win32/Induc.A virus (deleted - quarantined) 00000000000000000000000000000000 C

Maniac, здравейте! Прибягвам отново до вашите услуги за съжаление. Молбата ми е в процеса на премахване на зловредния софтуер да разбера от къде съм го лепнал. Напоследък ползвах доста фри софтуер и предполагам е от там Деинсталирал съм НОД32 преди ComboFix, защото не иска да се спре от никъде. Ето лог файловете: Results of screen317's Security Check version 0.99.0 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! NOD32 antivirus system Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: HijackThis 2.0.2 Adobe Flash Player 10 `````````````````````````````` Process Check: objlist.exe by Laurent Eset nod32krn.exe Eset nod32kui.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` ComboFix 09-11-20.02 - po 11.2009 г. 8:27.5.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.1535.1003 [GMT 2:00] Running from: c:\documents and settings\po\Desktop\Tool.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Fonts\SimHei.ttf . ((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 ))))))))))))))))))))))))))))))) . 2009-11-21 06:27 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys 2009-11-21 06:27 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-11-20 16:59 . 2009-11-20 17:00 -------- d-----w- c:\program files\HP USB Disk Storage Format Tool 2009-11-14 01:41 . 2009-11-14 01:45 -------- d-----w- c:\documents and settings\po\Application Data\avidemux 2009-11-14 01:15 . 2009-11-14 02:32 -------- d-----w- c:\program files\Avidemux 2.5 2009-11-12 16:54 . 2008-03-21 11:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll 2009-11-12 16:32 . 2009-11-12 16:31 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys 2009-11-12 16:32 . 2009-11-12 16:31 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys 2009-11-12 16:32 . 2009-11-12 16:31 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll 2009-11-11 20:52 . 2009-11-11 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software 2009-11-11 18:02 . 2008-01-09 09:28 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys 2009-11-11 18:00 . 2008-05-16 10:33 115752 ----a-w- c:\windows\system32\drivers\s0016unic.sys 2009-11-11 18:00 . 2008-05-16 10:33 10792 ----a-w- c:\windows\system32\drivers\s0016cr.sys 2009-11-11 18:00 . 2008-05-16 10:33 114216 ----a-w- c:\windows\system32\drivers\s0016mgmt.sys 2009-11-11 18:00 . 2008-05-16 10:33 110632 ----a-w- c:\windows\system32\drivers\s0016obex.sys 2009-11-11 18:00 . 2008-05-16 10:33 25512 ----a-w- c:\windows\system32\drivers\s0016nd5.sys 2009-11-11 18:00 . 2008-05-16 10:33 12200 ----a-w- c:\windows\system32\drivers\s0016cmnt.sys 2009-11-11 18:00 . 2008-05-16 10:33 12200 ----a-w- c:\windows\system32\drivers\s0016cm.sys 2009-11-11 18:00 . 2008-05-16 10:33 120744 ----a-w- c:\windows\system32\drivers\s0016mdm.sys 2009-11-11 18:00 . 2008-05-16 10:33 15016 ----a-w- c:\windows\system32\drivers\s0016mdfl.sys 2009-11-11 18:00 . 2008-05-16 10:33 89256 ----a-w- c:\windows\system32\drivers\s0016bus.sys 2009-11-11 18:00 . 2008-05-16 10:33 12200 ----a-w- c:\windows\system32\drivers\s0016whnt.sys 2009-11-11 18:00 . 2008-05-16 10:33 12200 ----a-w- c:\windows\system32\drivers\s0016wh.sys 2009-11-11 17:50 . 2009-11-11 17:53 -------- d-----w- c:\windows\system32\drivers\UMDF 2009-11-10 18:11 . 2009-11-10 18:11 -------- d-----w- c:\program files\Common Files\L&H 2009-11-01 13:45 . 2009-11-01 18:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-01 13:44 . 2009-11-01 16:20 -------- d-----w- c:\documents and settings\po\Application Data\Any Video Converter Professional 2009-11-01 13:44 . 2009-11-01 13:45 -------- d-----w- c:\program files\Any Video Converter Professional 2009-10-31 14:23 . 2009-10-31 22:23 -------- d-----w- C:\ZCVideoConverter 2009-10-28 20:11 . 2009-10-28 20:11 -------- d-----w- c:\documents and settings\po\Application Data\Miranda 2009-10-28 20:11 . 2009-10-28 20:11 -------- d-----w- c:\program files\Miranda IM 2009-10-28 07:17 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll 2009-10-28 07:17 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2009-10-28 07:17 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2009-10-28 07:17 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-10-28 07:17 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys 2009-10-28 07:17 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2009-10-24 22:00 . 2009-10-24 22:01 -------- d-----w- c:\program files\ICE Book Reader Professional 2009-10-24 20:53 . 2009-10-24 20:55 -------- d-----w- c:\documents and settings\po\Application Data\cr3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-21 06:23 . 2008-09-05 10:28 -------- d-----w- c:\program files\Eset 2009-11-20 22:31 . 2009-08-10 21:17 -------- d-----w- c:\documents and settings\po\Application Data\uTorrent 2009-11-20 17:00 . 2008-09-05 08:45 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-14 18:11 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\po\Application Data\Skype 2009-11-12 16:54 . 2009-11-12 16:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf 2009-11-12 16:54 . 2009-11-12 16:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2009-11-12 16:31 . 2008-12-01 19:06 -------- d-----w- c:\program files\Sony Ericsson 2009-11-11 17:59 . 2008-12-01 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson 2009-10-19 19:47 . 2009-08-10 21:10 -------- d-----w- c:\program files\The KMPlayer 2009-10-11 20:25 . 2009-10-11 20:24 -------- d-----w- c:\program files\K-Lite Codec Pack 2009-10-11 06:09 . 2008-09-05 09:04 18312 ----a-w- c:\documents and settings\po\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-10 17:21 . 2008-09-07 14:17 -------- d-----r- c:\program files\Skype 2009-10-09 18:00 . 2009-10-11 20:24 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2009-10-09 17:57 . 2008-12-14 13:00 -------- d-----w- c:\program files\Microsoft Silverlight 2009-10-08 20:14 . 2009-10-08 18:01 -------- d-----w- c:\program files\MobilityDotNET 2009-10-06 13:14 . 2009-10-06 13:14 7406 ----a-r- c:\documents and settings\po\Application Data\Microsoft\Installer\{3CD84DFC-2616-4983-B99D-09036FA3970F}\_88C359B14CDA98528E98DF.exe 2009-10-06 13:14 . 2009-10-06 13:14 7406 ----a-r- c:\documents and settings\po\Application Data\Microsoft\Installer\{3CD84DFC-2616-4983-B99D-09036FA3970F}\_345C72BB6C37F2642B9A87.exe 2009-10-06 13:14 . 2009-10-06 13:14 7406 ----a-r- c:\documents and settings\po\Application Data\Microsoft\Installer\{3CD84DFC-2616-4983-B99D-09036FA3970F}\_21F3885A18D238E15AAE81.exe 2009-10-06 13:14 . 2009-10-06 13:14 448870 ----a-r- c:\documents and settings\po\Application Data\Microsoft\Installer\{3CD84DFC-2616-4983-B99D-09036FA3970F}\_6FEFF9B68218417F98F549.exe 2009-10-06 13:14 . 2009-10-06 13:14 13358 ----a-r- c:\documents and settings\po\Application Data\Microsoft\Installer\{3CD84DFC-2616-4983-B99D-09036FA3970F}\_27BAC7B57020D669B234F7.exe 2009-10-06 13:14 . 2009-10-06 13:14 -------- d-----w- c:\program files\Foxit Software 2009-10-04 17:15 . 2009-10-04 17:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-10-04 17:14 . 2009-10-04 17:14 -------- d-----w- c:\program files\Common Files\Skype 2009-10-04 17:14 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-10-04 17:02 . 2008-09-08 17:27 -------- d-----w- c:\documents and settings\po\Application Data\skypePM 2009-10-04 12:58 . 2009-10-04 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Teleca 2009-10-04 12:57 . 2009-10-04 12:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Ericsson 2009-10-03 15:25 . 2009-09-24 19:24 -------- d-----w- c:\program files\CoreCodec 2009-10-03 15:24 . 2008-09-06 19:54 -------- d-----w- c:\program files\BSplayerPro 2009-10-03 15:24 . 2009-09-23 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-03 13:53 . 2008-09-06 20:15 -------- d-----w- c:\program files\CyberLink 2009-10-03 13:48 . 2008-09-07 14:14 -------- d-----w- c:\program files\Google 2009-09-27 21:04 . 2009-09-27 20:44 -------- d-----w- c:\documents and settings\po\Application Data\Media Player Classic 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\po\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-10 11:54 . 2009-09-23 19:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 11:53 . 2009-09-23 19:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872] "DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-16 163840] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "gusvc"=2 (0x2) "wuauserv"=2 (0x2) "6to4"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\QIP\\qip.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\G & Co.Ltd\\IOServers\\GatewayHost.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Miranda IM\\miranda32.exe"= "c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21.9.2008 г. 10:35 685816] R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [07.9.2008 г. 11:52 28672] R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [07.9.2008 г. 11:52 6656] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [11.11.2009 г. 20:02 27632] S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [11.11.2009 г. 19:59 90112] S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12.11.2009 г. 18:32 13224] S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [11.11.2009 г. 20:00 89256] S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [11.11.2009 г. 20:00 15016] S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [11.11.2009 г. 20:00 120744] S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [11.11.2009 г. 20:00 114216] S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [11.11.2009 г. 20:00 25512] S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [11.11.2009 г. 20:00 110632] S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [11.11.2009 г. 20:00 115752] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [01.12.2008 г. 21:14 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [01.12.2008 г. 21:15 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [01.12.2008 г. 21:15 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [01.12.2008 г. 21:15 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [01.12.2008 г. 21:15 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [01.12.2008 г. 21:15 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [01.12.2008 г. 21:15 97704] --- Other Services/Drivers In Memory --- *NewlyCreated* - CLASSPNP_2 *Deregistered* - CLASSPNP_2 . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\po\Application Data\Mozilla\Firefox\Profiles\4zewgcx2.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kaldata.com/forums/index.php?showtopic=142099 FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll . - - - - ORPHANS REMOVED - - - - AddRemove-HijackThis - c:\hijackthis\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-21 08:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys sptd.sys hal.dll >>UNKNOWN [0x8A2818AC]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28 \Driver\ACPI -> ACPI.sys @ 0xf74accb8 \Driver\atapi -> atapi.sys @ 0xf783bb40 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6 NDIS: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compa -> SendCompleteHandler -> NDIS.sys @ 0xf7a22b0a PacketIndicateHandler -> NDIS.sys @ 0xf7a2da21 SendHandler -> NDIS.sys @ 0xf7a22949 user & kernel MBR OK Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net atapi.sys @ 0x0 0x0 bytes \Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF783BB40 atapi.sys \Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF783BB40 atapi.sys \Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF783BB40 atapi.sys \Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF783BB40 atapi.sys \Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF783BB40 atapi.sys \Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF783BB40 atapi.sys \Driver\atapi IRP hooks detected ! ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(860) c:\windows\system32\relog_ap.dll . Completion time: 2009-11-21 08:33 ComboFix-quarantined-files.txt 2009-11-21 06:33 Pre-Run: 4 800 729 088 bytes free Post-Run: 4 953 350 144 bytes free - - End Of File - - 6DB9870B08859CAB44899B1482A6B164

Malwarebytes' Anti-Malware 1.41 Версия на базата от данни: 3202 Windows 5.1.2600 Service Pack 3 20.11.2009 г. 19:26:41 mbam-log-2009-11-20 (19-26-41).txt Тип сканиране: Пълно сканиране (C:\|) Сканирани обекти: 138817 Изминало време: 24 minute(s), 43 second(s) Заразени процеси в паметта: 0 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 0 Заразени информационни обекти в регистратурата: 0 Заразени папки: 0 Заразени файлове: 1 Заразени процеси в паметта: (Не бяха открити заплахи) Заразени модули в паметта: (Не бяха открити заплахи) Заразени ключове в регистратурата: (Не бяха открити заплахи) Заразени стойности в регистратурата: (Не бяха открити заплахи) Заразени информационни обекти в регистратурата: (Не бяха открити заплахи) Заразени папки: (Не бяха открити заплахи) Заразени файлове: C:\Documents and Settings\po\Local Settings\temp\ie.exe (Trojan.Agent) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:31:19, on 20.11.2009 г. Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Nhksrv.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\MMKeybd.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis\Kaldata.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: QIP 2005 - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - C:\Program Files\QIP\qip.exe (HKCU) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255021797379 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 4394 bytes

Още веднъж благодаря!

Имам един последен въпрос, по отношение на паролите: Трябва ли да ги сменям при положение че, никъде не са били запаметени на PC-to(настройките на всички програми са ми да не помнят пароли) или е възможно да са прихванати при въвеждането им в браузъра или някъде другаде? Благодаря за отделеното внимание и пожелавам успех на целия екип.

Maniac, Здравейте! Днес реших да пусна Malwarebytes профилактично да сканира партишън D:/ и външния ми хард и откри някакви червеи, пуснах след това и HijackThis, ето логовете: Malwarebytes' Anti-Malware 1.41 Версия на базата от данни: 2914 Windows 5.1.2600 Service Pack 3 06.10.2009 г. 12:12:42 mbam-log-2009-10-06 (12-12-42).txt Тип сканиране: Пълно сканиране (C:\|W:\|) Сканирани обекти: 236589 Изминало време: 43 minute(s), 27 second(s) Заразени процеси в паметта: 0 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 0 Заразени информационни обекти в регистратурата: 0 Заразени папки: 0 Заразени файлове: 4 Заразени процеси в паметта: (Не бяха открити заплахи) Заразени модули в паметта: (Не бяха открити заплахи) Заразени ключове в регистратурата: (Не бяха открити заплахи) Заразени стойности в регистратурата: (Не бяха открити заплахи) Заразени информационни обекти в регистратурата: (Не бяха открити заплахи) Заразени папки: (Не бяха открити заплахи) Заразени файлове: C:\System Volume Information\_restore{182A7B9C-CF01-4CB9-A546-A71953D15847}\RP123\A0032921.sys (Worm.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{182A7B9C-CF01-4CB9-A546-A71953D15847}\RP123\A0033134.sys (Worm.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{182A7B9C-CF01-4CB9-A546-A71953D15847}\RP123\A0033350.sys (Worm.Agent) -> Quarantined and deleted successfully. W:\1\Pesho Toshiba\Pesho_Final_Toshiba\Pesho\Games\Chesses\kashparov chessmate + keygen\keygen.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:20:12, on 06.10.2009 г. Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\MMKeybd.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\WINDOWS\Nhksrv.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\HijackThis\Kaldata.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: QIP 2005 - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - C:\Program Files\QIP\qip.exe (HKCU) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab? 1220874234458 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 5810 bytes

Благодаря, изтрих prefs.js и prefs.js.ВАК и search.qip.ru изчезна , после само си настроих браузъра както аз искам Сега предполагам системата ми е чиста вече? Ще инсталирам NOD32 2.7, след което да пращам ли репорта на програмата? Налага ли се деинсталиране на ComboFix по този начин: За да деинсталирате ComboFix и всички резервни копия на файлове, които той премахва: * Кликнете върху бутона Start и изберете Run * Въведете ComboFix /u в полето и изберете OK Публикувано изображение Бележка: Забележете, че има разстояние между ComboFix и /u, което задължително трябва да има. Тази процедура ще: Изтрие следното: * ComboFix и всички свързани с нея файлове и папки. * Backup на VundoFix (ако съществува). * Папката Deckard (ако съществува). * Папката _OtMoveIt (ако съществува). * Нулира настройките на часовника. * Скрива файлови разширения, ако е необходимо. * Скрива системни файлове, ако е необходимо. * Нулира System Restore.

Готово Attach.txt DDS.txt

Не се получи

ComboFix 09-10-04.01 - po 10.2009 г. 14:59.4.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.1535.1202 [GMT 3:00] Running from: c:\documents and settings\po\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\po\Desktop\CFScript.txt . ((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 ))))))))))))))))))))))))))))))) . 2009-10-04 17:15 . 2009-10-04 17:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-10-04 17:14 . 2009-10-04 17:14 -------- d-----w- c:\program files\Common Files\Skype 2009-10-04 12:59 . 2009-10-04 12:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-10-04 12:58 . 2009-10-04 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Teleca 2009-10-04 12:57 . 2009-10-04 12:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Ericsson 2009-10-03 18:55 . 2009-10-03 21:39 -------- d-----w- C:\HijackThis 2009-10-03 15:25 . 2009-10-03 15:25 -------- d-----w- c:\windows\system32\wbem\Repository 2009-10-03 15:25 . 2009-10-03 15:25 -------- d--h--w- c:\windows\PIF 2009-09-27 20:44 . 2009-09-27 21:04 -------- d-----w- c:\documents and settings\po\Application Data\Media Player Classic 2009-09-27 15:51 . 2009-09-27 15:51 -------- d-----w- c:\windows\system32\LogFiles 2009-09-24 19:24 . 2009-10-03 15:25 -------- d-----w- c:\program files\CoreCodec 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\po\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-23 19:36 . 2009-10-03 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-04 17:38 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\po\Application Data\Skype 2009-10-04 17:14 . 2008-09-07 14:17 -------- d-----r- c:\program files\Skype 2009-10-04 17:14 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-10-04 17:02 . 2008-09-08 17:27 -------- d-----w- c:\documents and settings\po\Application Data\skypePM 2009-10-04 10:31 . 2008-09-05 10:28 -------- d-----w- c:\program files\Eset 2009-10-04 00:23 . 2009-08-10 21:17 -------- d-----w- c:\documents and settings\po\Application Data\uTorrent 2009-10-03 15:24 . 2008-09-06 19:54 -------- d-----w- c:\program files\BSplayerPro 2009-10-03 15:20 . 2008-09-10 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-03 13:53 . 2008-09-06 20:15 -------- d-----w- c:\program files\CyberLink 2009-10-03 13:48 . 2008-09-07 14:14 -------- d-----w- c:\program files\Google 2009-09-19 19:20 . 2008-09-05 09:04 18696 ----a-w- c:\documents and settings\po\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-05 12:27 . 2008-09-07 19:48 -------- d-----w- c:\program files\BitComet 2009-09-03 19:34 . 2009-09-03 19:32 -------- d-----w- c:\documents and settings\po\Application Data\vlc 2009-08-23 18:14 . 2009-08-11 21:48 -------- d-----w- c:\program files\Opera 2009-08-16 15:08 . 2004-01-22 16:06 178176 ----a-w- c:\windows\system32\unrar.dll 2009-08-12 13:47 . 2009-08-10 21:10 -------- d-----w- c:\program files\The KMPlayer 2009-08-12 08:29 . 2008-09-08 07:09 -------- d-----w- c:\program files\QIP 2009-08-10 21:19 . 2009-08-10 21:19 -------- d-----w- c:\program files\uTorrent 2009-07-25 08:52 . 2009-07-25 08:52 30688 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2009-07-25 08:52 . 2009-07-25 08:52 249152 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-07-25 08:51 . 2009-07-25 08:51 96320 ----a-w- c:\windows\system32\drivers\snapman.sys 2009-07-25 08:28 . 2009-07-25 08:29 720896 ----a-w- c:\windows\iun6002.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-10 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616] "DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-16 163840] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-12-27 988736] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-27 118784] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "gusvc"=2 (0x2) "wuauserv"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\QIP\\qip.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\G & Co.Ltd\\IOServers\\GatewayHost.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [07.9.2008 г. 12:52 28672] R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [07.9.2008 г. 12:52 6656] S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [01.12.2008 г. 22:14 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [01.12.2008 г. 22:15 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [01.12.2008 г. 22:15 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [01.12.2008 г. 22:15 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [01.12.2008 г. 22:15 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [01.12.2008 г. 22:15 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [01.12.2008 г. 22:15 97704] . Contents of the 'Scheduled Tasks' folder 2009-10-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 21:24] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\po\Application Data\Mozilla\Firefox\Profiles\4zewgcx2.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kaldata.com/forums/index.php?showtopic=137829 FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query= FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-05 15:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(864) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(3424) c:\program files\Sony Ericsson\Mobile2\File Manager\FM.dll c:\windows\system32\MSVCR71.dll c:\program files\Common Files\Teleca Shared\tlib_log.dll c:\program files\Common Files\Teleca Shared\boost_log-vc71-mt-1_33.dll c:\program files\Common Files\Teleca Shared\TC Device Mgmt.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Netropa\OSD.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe . ************************************************************************** . Completion time: 2009-10-05 15:05 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-05 12:05 ComboFix2.txt 2009-10-04 19:47 ComboFix3.txt 2009-10-04 10:41 Pre-Run: 2 394 935 296 bytes free Post-Run: 2 364 895 232 bytes free 157

След като ComboFix приключи, пак изчезна Language Bar-a. Надявам се както казахте, че не е проблем. Това е лога: ComboFix 09-10-04.01 - po 10.2009 г. 22:41.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.1535.1192 [GMT 3:00] Running from: c:\documents and settings\po\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\po\Desktop\CFScript.txt . ((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 ))))))))))))))))))))))))))))))) . 2009-10-04 17:15 . 2009-10-04 17:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-10-04 17:14 . 2009-10-04 17:14 -------- d-----w- c:\program files\Common Files\Skype 2009-10-04 12:59 . 2009-10-04 12:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-10-04 12:58 . 2009-10-04 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Teleca 2009-10-04 12:57 . 2009-10-04 12:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Ericsson 2009-10-03 18:55 . 2009-10-03 21:39 -------- d-----w- C:\HijackThis 2009-10-03 15:25 . 2009-10-03 15:25 -------- d-----w- c:\windows\system32\wbem\Repository 2009-10-03 15:25 . 2009-10-03 15:25 -------- d--h--w- c:\windows\PIF 2009-09-27 20:44 . 2009-09-27 21:04 -------- d-----w- c:\documents and settings\po\Application Data\Media Player Classic 2009-09-27 15:51 . 2009-09-27 15:51 -------- d-----w- c:\windows\system32\LogFiles 2009-09-24 19:24 . 2009-10-03 15:25 -------- d-----w- c:\program files\CoreCodec 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\po\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-23 19:36 . 2009-10-03 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-04 17:38 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\po\Application Data\Skype 2009-10-04 17:14 . 2008-09-07 14:17 -------- d-----r- c:\program files\Skype 2009-10-04 17:14 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-10-04 17:02 . 2008-09-08 17:27 -------- d-----w- c:\documents and settings\po\Application Data\skypePM 2009-10-04 10:31 . 2008-09-05 10:28 -------- d-----w- c:\program files\Eset 2009-10-04 00:23 . 2009-08-10 21:17 -------- d-----w- c:\documents and settings\po\Application Data\uTorrent 2009-10-03 15:24 . 2008-09-06 19:54 -------- d-----w- c:\program files\BSplayerPro 2009-10-03 15:20 . 2008-09-10 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-03 13:53 . 2008-09-06 20:15 -------- d-----w- c:\program files\CyberLink 2009-10-03 13:48 . 2008-09-07 14:14 -------- d-----w- c:\program files\Google 2009-09-19 19:20 . 2008-09-05 09:04 18696 ----a-w- c:\documents and settings\po\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-05 12:27 . 2008-09-07 19:48 -------- d-----w- c:\program files\BitComet 2009-09-03 19:34 . 2009-09-03 19:32 -------- d-----w- c:\documents and settings\po\Application Data\vlc 2009-08-23 18:14 . 2009-08-11 21:48 -------- d-----w- c:\program files\Opera 2009-08-16 15:08 . 2004-01-22 16:06 178176 ----a-w- c:\windows\system32\unrar.dll 2009-08-12 13:47 . 2009-08-10 21:10 -------- d-----w- c:\program files\The KMPlayer 2009-08-12 08:29 . 2008-09-08 07:09 -------- d-----w- c:\program files\QIP 2009-08-10 21:19 . 2009-08-10 21:19 -------- d-----w- c:\program files\uTorrent 2009-07-25 08:52 . 2009-07-25 08:52 30688 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2009-07-25 08:52 . 2009-07-25 08:52 249152 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-07-25 08:51 . 2009-07-25 08:51 96320 ----a-w- c:\windows\system32\drivers\snapman.sys 2009-07-25 08:28 . 2009-07-25 08:29 720896 ----a-w- c:\windows\iun6002.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-10 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616] "DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-16 163840] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-12-27 988736] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-27 118784] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "gusvc"=2 (0x2) "wuauserv"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\QIP\\qip.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\G & Co.Ltd\\IOServers\\GatewayHost.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [07.9.2008 г. 12:52 28672] R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [07.9.2008 г. 12:52 6656] S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [01.12.2008 г. 22:14 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [01.12.2008 г. 22:15 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [01.12.2008 г. 22:15 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [01.12.2008 г. 22:15 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [01.12.2008 г. 22:15 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [01.12.2008 г. 22:15 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [01.12.2008 г. 22:15 97704] . Contents of the 'Scheduled Tasks' folder 2009-10-04 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 21:24] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\po\Application Data\Mozilla\Firefox\Profiles\4zewgcx2.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kaldata.com/forums/index.php?showtopic=137829 FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query= FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-04 22:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(832) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(3220) c:\program files\Sony Ericsson\Mobile2\File Manager\FM.dll c:\windows\system32\MSVCR71.dll c:\program files\Common Files\Teleca Shared\tlib_log.dll c:\program files\Common Files\Teleca Shared\boost_log-vc71-mt-1_33.dll c:\program files\Common Files\Teleca Shared\TC Device Mgmt.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wdfmgr.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Netropa\OSD.exe c:\windows\system32\wscntfy.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe . ************************************************************************** . Completion time: 2009-10-04 22:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-04 19:47 ComboFix2.txt 2009-10-04 10:41 Pre-Run: 2 441 478 144 bytes free Post-Run: 2 435 276 800 bytes free 156

"Отчасти го махнахме в самото начало, но не на цяло. Ако желаете да не го отваря, можете да го промените от настройките на браузъра Ви." Направил съм го. Премахнал съм всички търсачки от браузъра, освен Google. Нямам идея от къде да махна тази руска търсачка? Има още нещо, което е малко странно и за това го описвам, вече на 2 пъти след рестарт, ми изчезва Language Bar-a, след като влезна в настройките в Advanced, 'Turn off advanced text services' се е чекнало само, това проблем ли е от към сигурност, или е нещо временно поради всичките промени които правихме? Направих всичко до инсталацията на антивирусната програма и искам да попитам, дали може да инсталирам старата версия на НОД, поради 2 причини, първата: новите версии доста товарят машината, а моята е слабичка и втората е обяснима, но бих желал да не я споменавам тук, надявам се ме разбирате!?

Maniac, Забравих да спомена, че преди да пиша във форума деинсталирах Adobe Reader 7,0 i Adobe Flash Player, защото четох че имат пробиви в сигурноста,като все още не съм ги инсталирал отново с последните версии. Също така искам да кажа, че токущо при search вместо в Google bar-a писах в Address bar-a и се зареди http://search.qip.ru , което по-горе мисля го изтрихме, но все пак не съм съвсем наясно и за това пиша. Също така бях забравил да кажа че отдавна съм изключил Autorun-a, във връзка с което искам да попитам възможно ли да има RootKit na PC-to? Видях че си писал току що, заемам се веднага с инструкциите.

Maniac, Снощи след kato ComboFix приключи, инсталирах отново НОД-а днес като прочетох отново го деинсталирах - споменавам го ако това има значение. Ето лога: ComboFix 09-10-01.05 - po 10.2009 г. 13:36.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.1535.1227 [GMT 3:00] Running from: c:\documents and settings\po\Desktop\Tool.exe Command switches used :: c:\documents and settings\po\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe . ((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 ))))))))))))))))))))))))))))))) . 2009-10-03 18:55 . 2009-10-03 21:39 -------- d-----w- C:\HijackThis 2009-10-03 15:25 . 2009-10-03 15:25 -------- d-----w- c:\windows\system32\wbem\Repository 2009-10-03 15:25 . 2009-10-03 15:25 -------- d--h--w- c:\windows\PIF 2009-09-27 20:44 . 2009-09-27 21:04 -------- d-----w- c:\documents and settings\po\Application Data\Media Player Classic 2009-09-27 15:51 . 2009-09-27 15:51 -------- d-----w- c:\windows\system32\LogFiles 2009-09-24 19:24 . 2009-10-03 15:25 -------- d-----w- c:\program files\CoreCodec 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\po\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-23 19:36 . 2009-10-03 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-04 10:31 . 2008-09-05 10:28 -------- d-----w- c:\program files\Eset 2009-10-04 00:23 . 2009-08-10 21:17 -------- d-----w- c:\documents and settings\po\Application Data\uTorrent 2009-10-03 15:24 . 2008-09-06 19:54 -------- d-----w- c:\program files\BSplayerPro 2009-10-03 15:20 . 2008-09-10 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-03 13:53 . 2008-09-06 20:15 -------- d-----w- c:\program files\CyberLink 2009-10-03 13:48 . 2008-09-07 14:14 -------- d-----w- c:\program files\Google 2009-09-19 19:20 . 2008-09-05 09:04 18696 ----a-w- c:\documents and settings\po\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-15 13:15 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\po\Application Data\Skype 2009-09-15 13:01 . 2008-09-08 17:27 -------- d-----w- c:\documents and settings\po\Application Data\skypePM 2009-09-05 12:27 . 2008-09-07 19:48 -------- d-----w- c:\program files\BitComet 2009-09-03 19:34 . 2009-09-03 19:32 -------- d-----w- c:\documents and settings\po\Application Data\vlc 2009-08-23 18:14 . 2009-08-11 21:48 -------- d-----w- c:\program files\Opera 2009-08-16 15:08 . 2004-01-22 16:06 178176 ----a-w- c:\windows\system32\unrar.dll 2009-08-12 13:47 . 2009-08-10 21:10 -------- d-----w- c:\program files\The KMPlayer 2009-08-12 08:29 . 2008-09-08 07:09 -------- d-----w- c:\program files\QIP 2009-08-10 21:19 . 2009-08-10 21:19 -------- d-----w- c:\program files\uTorrent 2009-08-05 12:50 . 2009-08-03 19:20 -------- d-----w- c:\program files\Total Video Converter 2009-07-25 08:52 . 2009-07-25 08:52 30688 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2009-07-25 08:52 . 2009-07-25 08:52 249152 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-07-25 08:51 . 2009-07-25 08:51 96320 ----a-w- c:\windows\system32\drivers\snapman.sys 2009-07-25 08:28 . 2009-07-25 08:29 720896 ----a-w- c:\windows\iun6002.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-10 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616] "DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-16 163840] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-12-27 988736] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-27 118784] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "gusvc"=2 (0x2) "wuauserv"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\QIP\\qip.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\G & Co.Ltd\\IOServers\\GatewayHost.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [07.9.2008 г. 12:52 28672] R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [07.9.2008 г. 12:52 6656] S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [01.12.2008 г. 22:14 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [01.12.2008 г. 22:15 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [01.12.2008 г. 22:15 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [01.12.2008 г. 22:15 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [01.12.2008 г. 22:15 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [01.12.2008 г. 22:15 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [01.12.2008 г. 22:15 97704] . Contents of the 'Scheduled Tasks' folder 2009-10-04 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 21:24] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\po\Application Data\Mozilla\Firefox\Profiles\4zewgcx2.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kaldata.com/forums/index.php?showtopic=137829 FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query= FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-04 13:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(832) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(3488) c:\program files\Sony Ericsson\Mobile2\File Manager\FM.dll c:\windows\system32\MSVCR71.dll c:\program files\Common Files\Teleca Shared\tlib_log.dll c:\program files\Common Files\Teleca Shared\boost_log-vc71-mt-1_33.dll c:\program files\Common Files\Teleca Shared\TC Device Mgmt.dll . Completion time: 2009-10-04 13:41 ComboFix-quarantined-files.txt 2009-10-04 10:41 ComboFix2.txt 2009-10-03 22:54 Pre-Run: 1 952 751 616 bytes free Post-Run: 1 920 684 032 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 144

Maniac, Наложи се да деинсталирам NOD32, защото не искаше да спре по никакъв начин, като пробвах да сппирам процеца, също така и през msconfig, резултатът след деинсталация е следния: ComboFix 09-10-01.05 - po 10.2009 г. 1:47.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.1535.1178 [GMT 3:00] Running from: c:\documents and settings\po\Desktop\Tool.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Installer\aa9e40.msp c:\windows\Installer\aa9e41.msp c:\windows\Installer\aa9e42.msp c:\windows\Installer\aa9e43.msp c:\windows\Installer\aa9e44.msp c:\windows\Installer\aa9e45.msp c:\windows\Installer\aa9e46.msp c:\windows\Installer\aa9e47.msp c:\windows\Installer\aa9e48.msp c:\windows\Installer\ad6138.msp c:\windows\Installer\ad6139.msp c:\windows\Installer\ad613a.msp c:\windows\Installer\ad613b.msp c:\windows\Installer\ad613c.msp c:\windows\Installer\ad613d.msp c:\windows\Installer\ad613e.msp c:\windows\Installer\ad613f.msp c:\windows\Installer\ad6140.msp c:\windows\Installer\ad6141.msp . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_OREANS32 -------\Service_oreans32 ((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 ))))))))))))))))))))))))))))))) . 2009-10-03 18:55 . 2009-10-03 21:39 -------- d-----w- C:\HijackThis 2009-10-03 15:25 . 2009-10-03 15:25 -------- d-----w- c:\windows\system32\wbem\Repository 2009-10-03 15:25 . 2009-10-03 15:25 -------- d--h--w- c:\windows\PIF 2009-09-27 20:44 . 2009-09-27 21:04 -------- d-----w- c:\documents and settings\po\Application Data\Media Player Classic 2009-09-27 15:51 . 2009-09-27 15:51 -------- d-----w- c:\windows\system32\LogFiles 2009-09-24 19:24 . 2009-10-03 15:25 -------- d-----w- c:\program files\CoreCodec 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\po\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-23 19:36 . 2009-09-23 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-23 19:36 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-23 19:36 . 2009-10-03 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-03 22:43 . 2009-08-10 21:17 -------- d-----w- c:\documents and settings\po\Application Data\uTorrent 2009-10-03 22:41 . 2008-09-05 10:28 -------- d-----w- c:\program files\Eset 2009-10-03 15:24 . 2008-09-06 19:54 -------- d-----w- c:\program files\BSplayerPro 2009-10-03 15:20 . 2008-09-10 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-03 13:53 . 2008-09-06 20:15 -------- d-----w- c:\program files\CyberLink 2009-10-03 13:48 . 2008-09-07 14:14 -------- d-----w- c:\program files\Google 2009-09-19 19:20 . 2008-09-05 09:04 18696 ----a-w- c:\documents and settings\po\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-15 13:15 . 2008-09-07 14:17 -------- d-----w- c:\documents and settings\po\Application Data\Skype 2009-09-15 13:01 . 2008-09-08 17:27 -------- d-----w- c:\documents and settings\po\Application Data\skypePM 2009-09-05 12:27 . 2008-09-07 19:48 -------- d-----w- c:\program files\BitComet 2009-09-03 19:34 . 2009-09-03 19:32 -------- d-----w- c:\documents and settings\po\Application Data\vlc 2009-08-23 18:14 . 2009-08-11 21:48 -------- d-----w- c:\program files\Opera 2009-08-16 15:08 . 2004-01-22 16:06 178176 ----a-w- c:\windows\system32\unrar.dll 2009-08-12 13:47 . 2009-08-10 21:10 -------- d-----w- c:\program files\The KMPlayer 2009-08-12 08:29 . 2008-09-08 07:09 -------- d-----w- c:\program files\QIP 2009-08-10 21:19 . 2009-08-10 21:19 -------- d-----w- c:\program files\uTorrent 2009-08-05 12:50 . 2009-08-03 19:20 -------- d-----w- c:\program files\Total Video Converter 2009-07-25 08:52 . 2009-07-25 08:52 30688 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2009-07-25 08:52 . 2009-07-25 08:52 249152 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-07-25 08:51 . 2009-07-25 08:51 96320 ----a-w- c:\windows\system32\drivers\snapman.sys 2009-07-25 08:28 . 2009-07-25 08:29 720896 ----a-w- c:\windows\iun6002.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-10 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616] "DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-16 163840] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-12-27 988736] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-27 118784] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "TapiSrv"=3 (0x3) "gusvc"=2 (0x2) "wuauserv"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\QIP\\qip.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\G & Co.Ltd\\IOServers\\GatewayHost.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [07.9.2008 г. 12:52 28672] R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [07.9.2008 г. 12:52 6656] S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [01.12.2008 г. 22:14 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [01.12.2008 г. 22:15 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [01.12.2008 г. 22:15 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [01.12.2008 г. 22:15 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [01.12.2008 г. 22:15 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [01.12.2008 г. 22:15 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [01.12.2008 г. 22:15 97704] . Contents of the 'Scheduled Tasks' folder 2009-10-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 21:24] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\po\Application Data\Mozilla\Firefox\Profiles\4zewgcx2.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kaldata.com/forums/index.php?showtopic=137829 FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query= FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll . - - - - ORPHANS REMOVED - - - - HKLM-Run-BC2BackUp - (no file) AddRemove-HijackThis - c:\hijackthis\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-04 01:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(832) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(3428) c:\program files\Sony Ericsson\Mobile2\File Manager\FM.dll c:\windows\system32\MSVCR71.dll c:\program files\Common Files\Teleca Shared\tlib_log.dll c:\program files\Common Files\Teleca Shared\boost_log-vc71-mt-1_33.dll c:\program files\Common Files\Teleca Shared\TC Device Mgmt.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Netropa\OSD.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe . ************************************************************************** . Completion time: 2009-10-03 1:54 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-03 22:54 Pre-Run: 1 935 224 832 bytes free Post-Run: 1 986 396 160 bytes free 178

Здравейте, Първото което ми направи впечатление е това съобщение: 16 bit MS-DOS Susystem C:\WINDOWS\Sysvxd.exe TheNTVDM CPU has encountered an illegal instruction. CS:0000 IP:0325 OP:00 00 00 00 00 Choose 'Close' to terminate the applicaton. с два възможни бутона 'Close' и 'Ignore' - виж прикачения файл След което забелязах shortcut на Desktop-a "Adobe Gamma Loader" следва лога от Malwarebytes, преди да стигна до темата във форума: Malwarebytes' Anti-Malware 1.41 Версия на базата от данни: 2887 Windows 5.1.2600 Service Pack 3 02.10.2009 г. 00:11:36 mbam-log-2009-10-02 (00-11-36).txt Тип сканиране: Бързо сканиране Сканирани обекти: 39346 Изминало време: 1 hour(s), 1 minute(s), 4 second(s) Заразени процеси в паметта: 0 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 0 Заразени информационни обекти в регистратурата: 0 Заразени папки: 0 Заразени файлове: 1 Заразени процеси в паметта: (Не бяха открити заплахи) Заразени модули в паметта: (Не бяха открити заплахи) Заразени ключове в регистратурата: (Не бяха открити заплахи) Заразени стойности в регистратурата: (Не бяха открити заплахи) Заразени информационни обекти в регистратурата: (Не бяха открити заплахи) Заразени папки: (Не бяха открити заплахи) Заразени файлове: c:\WINDOWS\system32\drivers\oreans32.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Това са след премахване на някой програми и след като прочетох темата за зловредния софтуер: Malwarebytes' Anti-Malware 1.41 Версия на базата от данни: 2900 Windows 5.1.2600 Service Pack 3 03.10.2009 г. 21:07:20 mbam-log-2009-10-03 (21-07-20).txt Тип сканиране: Пълно сканиране (C:\|) Сканирани обекти: 119654 Изминало време: 16 minute(s), 25 second(s) Заразени процеси в паметта: 1 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 1 Заразени информационни обекти в регистратурата: 0 Заразени папки: 0 Заразени файлове: 3 Заразени процеси в паметта: C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> Unloaded process successfully. Заразени модули в паметта: (Не бяха открити заплахи) Заразени ключове в регистратурата: (Не бяха открити заплахи) Заразени стойности в регистратурата: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully. Заразени информационни обекти в регистратурата: (Не бяха открити заплахи) Заразени папки: (Не бяха открити заплахи) Заразени файлове: C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\po\Local Settings\Temp\ie.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.41 Версия на базата от данни: 2900 Windows 5.1.2600 Service Pack 3 03.10.2009 г. 21:42:50 mbam-log-2009-10-03 (21-42-50).txt Тип сканиране: Пълно сканиране (C:\|) Сканирани обекти: 119694 Изминало време: 16 minute(s), 26 second(s) Заразени процеси в паметта: 0 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 0 Заразени информационни обекти в регистратурата: 0 Заразени папки: 0 Заразени файлове: 0 Заразени процеси в паметта: (Не бяха открити заплахи) Заразени модули в паметта: (Не бяха открити заплахи) Заразени ключове в регистратурата: (Не бяха открити заплахи) Заразени стойности в регистратурата: (Не бяха открити заплахи) Заразени информационни обекти в регистратурата: (Не бяха открити заплахи) Заразени папки: (Не бяха открити заплахи) Заразени файлове: (Не бяха открити заплахи) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:06:31, on 03.10.2009 г. Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\MMKeybd.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\WINDOWS\Nhksrv.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis\Kaldata.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\po\Application Data\Microsoft\Internet Explorer\qipsearchbar.dll R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\po\Application Data\Microsoft\Internet Explorer\qipsearchbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: QIP 2005 - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - C:\Program Files\QIP\qip.exe (HKCU) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220874234458 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: Win32Sl - Unknown owner - C:\dmi\win32\bin\Win32sl.exe (file missing) -- End of file - 6962 bytes