http://www.nigma.ru/index.php?s=remove+pmr...=1&lang=all

Все още има ли натоварване?

Засега не Благодаря пак

Радвам се! Ако се появи отново проблема, пиши

как да го кача нитто една антивирусна не мойе да го намери просто ми се появява с пр вклчяването ма скайпа а и това ми се появи след сканиране незнам даже и какво е Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:56 ч., on 9.2.2009 г.

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\SYSTEM32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\vsnpstd3.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Users\tuni\Desktop\uTorrent.exe

C:\Users\tuni\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\conime.exe

C:\Program Files\PremierOpinion\pmropn.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Users\tuni\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\tuni\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\tuni\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\tuni\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\tuni\AppData\Local\Google\Chrome\Application\chrome.exe

E:\post.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=66019

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66019

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66019

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:\Users\tuni\AppData\Roaming\Mail.Ru\Agent\Mra\dll\newmrasearch.dll (file missing)

O1 - Hosts: ::1 localhost

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Samurai Popup Blocker - {75784982-2697-4fb9-890F-44F30E50CF4D} - E:\ICOOOO\Antivirus\Samurai\Samurai v2.7\PopupBlocker.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll (file missing)

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Power Video Converter\msdxm.ocx

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [LanzarL2007] "C:\Users\tuni\AppData\Local\Temp\{AE567650-D834-412F-99ED-C055ECED3AE6}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0002"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [tsnpstd3] C:\Windows\tsnpstd3.exe

O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Users\tuni\Desktop\uTorrent.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\tuni\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Startup: Online Wallpaper.lnk = C:\Program Files\Online Wallpaper Changer\OnlineWallpaper.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: &С&валяне &с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &С&валяне на всички с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &С&валяне на всичкото видео с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O13 - Gopher Prefix:

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://77.77.141.197/activex/AMC.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CE7B7FC4-661B-42FD-B57D-DDAD18A22042}: NameServer = 4.2.2.2 212.39.90.42

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {3A17D614-74F3-4240-9183-5392760B0A8E} - (no file)

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe

O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe

O23 - Service: PremierOpinion - VoiceFive Networks, Inc. - C:\Program Files\PremierOpinion\pmservice.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe (file missing)

O23 - Service: Samurai Service - Unknown owner - E:\ICOOOO\Antivirus\Samurai\Samurai v2.7\SysTrayHook.exe (file missing)

Има специално създадена тема за тези логове и логовете се публикуват там!!

Отвори HiJackThis, избери Do a system scan only и сложи отметки на следните редове:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=66019

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66019

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66019

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:\Users\tuni\AppData\Roaming\Mail.Ru\Agent\Mra\dll\newmrasearch.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Samurai Popup Blocker - {75784982-2697-4fb9-890F-44F30E50CF4D} - E:\ICOOOO\Antivirus\Samurai\Samurai v2.7\PopupBlocker.dll (file missing)

O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll (file missing)

Unknown

O4 - HKLM\..\Run: [LanzarL2007] "C:\Users\tuni\AppData\Local\Temp\{AE567650-D834-412F-99ED-C055ECED3AE6}\{D1DA2B A7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0002"

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://77.77.141.197/activex/AMC.cab

O18 - Filter hijack: text/html - {3A17D614-74F3-4240-9183-5392760B0A8E} - (no file)

O23 - Service: Panda IManager Service (PSIMSVC) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe (file missing)

O23 - Service: Samurai Service - Unknown owner - E:\ICOOOO\Antivirus\Samurai\Samurai v2.7\SysTrayHook.exe (file missing)

Затвори браузъра и кликни на бутона Fix Checked.

Ще го премахнем, но явно не само това е проблема, затова очаквам и лог файл от ComboFix.

1. Изтеглете ComboFix

2. Запазете го на десктопа

3. Влезте в Start -> Run... и въведете следната команда последвана от OK:

"%userprofile%\desktop\combofix.exe" /killall

4. След, като програмата приключи ще Ви се отвори Notepad, копирайте съдържанието му и го поставете в следващия си пост тук.

Добър ден,

Вчера поради моята "немърливост" съм си свалил keylogger на компютъра. Опитах с 1-2 anti-spaware програми но имам проблем с отстраняването му. Надявам се да ми помогнете със съвети и идеи какво да направя.

Благодаря ви предварително.

Добър ден,

Вчера поради моята "немърливост" съм си свалил keylogger на компютъра. Опитах с 1-2 anti-spaware програми но имам проблем с отстраняването му. Надявам се да ми помогнете със съвети и идеи какво да направя.

Благодаря ви предварително.

Ако обичаш, дай повече информация за операционната си система, за името на програмата( кейлогера), с каква защита си, кои са тези 1-2 anti-spyware програми, какво изписват при проблемите с отстраняването му, за да можем поне да се насочим какъв ти е точно проблема ...

Редактирано 13 февруари 200917 г. от stefanvalja (преглед на промените)

На настолния ми компютър е Windows Xp SP3, a на лаптопа ми е Windows Vista Home Basic ; за съжаление не пазя логовете защото преинсталирах настолния компютър на който засякох кейлогъра. Сега проверявам лаптопа си с MalwareBytes' Anti-Malware и с Avg. Единственото засега което знам със сигурност е че е предназначен за записване на пароли на акаунти на World of Warcraft.

Първия път когато го засякох беше с Nod 32 и каквото намери го изтрих. След това реших да преинсталирам с пълен формат настолния си компютър като запазя малка част от данните си на лаптопа( предимно снимки и текстови документи). Но отново се опитаха да оберат акаунта ми и явно съм заразил и лаптопа си. Сега чакам да минат сканирванията за да мога да дам лог.

Представи лог файл от HiJackThis, както е описано в първия пост:

http://www.kaldata.com/forums/index.php?sh...5&start=105

От Avg report:

Scan "Scan whole computer" was finished.

Infections;"2";"0";"2"

Information;"2"

Folders selected for scanning:;"Scan whole computer"

Scan started:;"13 февруари 2009 г., 18:44 ч."

Scan finished:;"13 февруари 2009 г., 20:36 ч. (1 hour(s) 52 minute(s) 31 second(s))"

Total object scanned:;"748655"

User who launched the scan:;"VASIL"

Infections

File;"Infection";"Result"

D:\Instalations\Google Earth Pro 4.2.0205.5730\Google Earth Pro 4.2.exe;"Trojan horse Agent.AWJX";"Infected"

D:\Instalations\Google Earth Pro 4.2.0205.5730\Google Earth Pro 4.2.exe:\$JF\wmplayer.exe;"Trojan horse Agent.AWJX";"Infected"

Warnings

File;"Infection";"Result"

C:\Users\VASIL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite;"Found Tracking cookie.Doubleclick";"Healed"

C:\Users\VASIL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Microsoft\Windows\Cookies\Low\vasil@doubleclick[1].txt;"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Microsoft\Windows\Cookies\Low\vasil@doubleclick[1].txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite;"Found Tracking cookie.Doubleclick";"Healed"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\revsci.net.2df99d79;"Found Tracking cookie.Revsci";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Moved to Virus Vault"

C:\Users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\cookies.sqlite:\revsci.net.e9dbeb91;"Found Tracking cookie.Revsci";"Moved to Virus Vault"

Information

File;"Infection";"Result"

D:\Instalations\vajno\Ultimate-kg.exe;"Runtime packed fsg";""

D:\Instalations\WinRAR 3.71 Final + BG + Keygen\patch.exe;"Runtime packed fsg";""

От HiJackThis report :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:43 ч., on 13.2.2009 г.

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\VASIL\Downloads\HiJackThis.exe

C:\HiJackThis\post.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [uCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{28876572-FB22-44D8-89EE-D4A3640F1EA0}: NameServer = 192.168.2.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{28876572-FB22-44D8-89EE-D4A3640F1EA0}: NameServer = 192.168.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{28876572-FB22-44D8-89EE-D4A3640F1EA0}: NameServer = 192.168.2.1

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Google Update Service (gupdate1c98afb3a1af780) (gupdate1c98afb3a1af780) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 6922 bytes

Malwarebytes' Anti-Malware все още сканирва...

Malwarebytes' Anti-Malware 1.34

Database version: 1757

Windows 6.0.6001 Service Pack 1

13.2.2009 г. 21:39:39

mbam-log-2009-02-13 (21-39-39).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 188649

Time elapsed: 2 hour(s), 54 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

:S

Хм... странно, може би AVG си е свършил работата.

Направи и нещо друго:

1. Изтеглете ComboFix

2. Запазете го на десктопа

3. Влезте в Start -> Run... и въведете следната команда последвана от OK:

"%userprofile%\desktop\combofix.exe" /killall

4. След, като програмата приключи ще Ви се отвори Notepad, копирайте съдържанието му и го поставете в следващия си пост тук.

Имам този гаден вирус който Микрософт изкараха Новина "Conficker AA.Worм" Как да се спася от него?Видях че неможе да се премахне но Noda го държи в карантина,дайте предложения моля!

Редактирано 13 февруари 200917 г. от ToH1o (преглед на промените)

С коя версия на ESET NOD32 си? Версия 3 и 4 го засичат и премахват успешно.

1. Изтеглете ComboFix

2. Запазете го на десктопа

3. Влезте в Start -> Run... и въведете следната команда последвана от OK:

"%userprofile%\desktop\combofix.exe" /killall

4. След, като програмата приключи ще Ви се отвори Notepad, копирайте съдържанието му и го поставете в следващия си пост тук.

П.П.: Всякакви коментари, логове, нека да са в - Помощ при откриване и премахване на вируси, троянски коне и др.

Редактирано 13 февруари 200917 г. от Fixer (преглед на промените)

Би трябвало и Malwarebytes' Anti-Malware да се справя с Conficker.

Специализирани инструменти за почистване:

1. Microsoft Malicious Software Removal Tool

2. EConfickerRemover (10x Fixer за файла)

3. McaFee Avert Stinger

4. Symantec FixDownloadup

5. Kaspersky KidoKiller

Добре е да се инсталират и следните актуализации:

- MS09-001

- MS08-068

- MS08-067

Няма да е лошо все пак да изпълниш и съветите на колегите => Nologo и Fixer и да публикуваш логовете от MBAM и ComboFix.

Редактирано 13 февруари 200917 г. от B-boy[StyLe] (преглед на промените)

Специализирани инструменти за почистване:

1. Microsoft Malicious Software Removal Tool

2. EConfickerRemover (10x Fixer за файла)

3. McaFee Avert Stinger

4. Symantec FixDownloadup

5. Kaspersky KidoKiller

Добре е да се инсталират и следните актуализации:

- MS09-001

- MS08-068

- MS08-067

Няма да е лошо все пак да изпълниш и съветите на колегите => Nologo и Fixer и да публикуваш логовете от MBAM и ComboFix.

Сканирах нищо не хвана ето ви лога от ComboFixa:

ComboFix 09-02-12.03 - JH347JHV 2009-02-13 23:57:35.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.767.481 [GMT 2:00]

Running from: c:\documents and settings\JH347JHV\desktop\combofix.exe

Command switches used :: /killall

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))

.

2009-02-13 23:55 . 2009-02-13 23:56 <DIR> d-------- C:\32788R22FWJFW

2009-01-27 23:37 . 2001-08-23 14:00 218,112 --a--c--- c:\windows\system32\dllcache\c_g18030.dll

2009-01-26 00:37 . 2009-01-26 00:37 <DIR> d--hs---- c:\documents and settings\JH347JHV\PrivacIE

2009-01-25 23:47 . 2009-01-25 23:48 <DIR> d--h-c--- c:\windows\ie8

2009-01-21 00:52 . 2009-01-21 00:52 <DIR> d-------- c:\documents and settings\postgres

2009-01-21 00:47 . 2009-01-21 00:47 <DIR> d-------- c:\program files\PostgreSQL

2009-01-20 19:49 . 2009-01-20 19:49 <DIR> d-------- c:\program files\Winamp Toolbar

2009-01-20 19:49 . 2009-01-20 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winamp Toolbar

2009-01-16 08:51 . 2009-01-16 09:03 <DIR> d-------- c:\documents and settings\JH347JHV\Application Data\Belkasoft

2009-01-16 00:17 . 2009-01-16 00:17 <DIR> d-------- c:\documents and settings\JH347JHV\Gadu-Gadu

2009-01-15 10:37 . 2009-01-15 10:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-13 22:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Xfire

2009-02-13 22:02 --------- d-----w c:\documents and settings\JH347JHV\Application Data\zweitgeist

2009-02-13 21:56 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Skype

2009-02-13 16:37 --------- d-----w c:\documents and settings\JH347JHV\Application Data\skypePM

2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 17:44 --------- d-----w c:\documents and settings\JH347JHV\Application Data\GanymedeNet

2009-02-08 16:56 --------- d-----w c:\documents and settings\JH347JHV\Application Data\GSC

2009-02-07 23:41 --------- d-----w c:\program files\TuneUp Utilities 2009

2009-01-20 17:52 --------- d-----w c:\program files\Winamp

2009-01-20 17:52 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Winamp

2009-01-18 13:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-14 19:11 --------- d-----w c:\program files\XAimer

2009-01-11 13:07 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-10 17:00 --------- d-----w c:\program files\Windows Defender

2009-01-10 16:58 --------- d-----w c:\documents and settings\JH347JHV\Application Data\IObit

2009-01-02 14:12 --------- d-----w c:\program files\Acoustica Mixcraft 4

2008-12-29 21:49 --------- d-----w c:\documents and settings\JH347JHV\Application Data\BSplayer PRO

2008-12-27 14:30 --------- d-----w c:\program files\StealthBotBot

2008-12-27 01:30 70,656 ----a-w c:\windows\ScUnin.exe

2008-12-25 08:20 --------- d-----w c:\program files\DAEMON Tools Lite

2008-12-24 20:03 --------- d-----w c:\program files\DAEMON Tools Toolbar

2008-12-24 20:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\DAEMON Tools Pro

2008-12-24 20:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\DAEMON Tools Lite

2008-12-24 20:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\DAEMON Tools

2008-12-24 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2008-12-20 19:01 --------- d-----w c:\program files\Vuze

2008-12-20 19:01 --------- d-----w c:\program files\Mail.Ru

2008-12-20 18:44 737,280 ----a-w c:\windows\iun6002.exe

2008-12-17 22:58 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Azureus

2008-12-17 22:46 --------- d-----w c:\program files\AskSearch

2008-12-17 22:46 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus

2008-12-15 19:15 --------- d-----w c:\program files\Java

2008-12-14 21:38 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Mra

2008-12-14 17:56 --------- d-----w c:\documents and settings\JH347JHV\Application Data\vlc

2008-11-30 13:54 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe

2007-09-08 09:39 22,328 ----a-w c:\documents and settings\JH347JHV\Application Data\PnkBstrK.sys

2008-04-27 21:00 65,536 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042120080428\index.dat

2008-04-27 21:00 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat

2008-04-28 19:55 65,536 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat

2008-04-29 20:58 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat

2008-04-30 20:55 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008043020080501\index.dat

2008-04-30 23:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050120080502\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zweitgeist Assistant"="d:\program files\weblin\weblinAssistant.exe" [2008-12-24 192512]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

"Analogue Vista Clock"="d:\program files\Analogue Vista Clock\Analogue Vista Clock.exe" [2008-12-21 289280]

"SMS by Jeko Ianev"="d:\program files\sms\sms.exe" [2009-01-16 5295616]

"Steam"="d:\program files\steam\steam.exe" [2009-02-11 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\JH347JHV\Start Menu\Programs\Startup\

Xfire.lnk - d:\program files\Xfire\Xfire.exe [2009-01-15 2993488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\program files\Datecs\FlexType 2K\FType2K.exe [2007-08-15 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSecurityTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

2001-12-20 21:34 24576 d:\program files\AlienGuise\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fac13.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Klf28.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nuc76.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xix68.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xyl73.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"nwiz"=nwiz.exe /install

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Fast Chat\\FastChat.exe"=

"d:\\Program Files\\Bitlord\\BitLord.exe"=

"d:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"d:\\Program Files\\DAUM\\PotPlayer\\PotPlayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\Operscript\\OperScRipT6.0b\\mirc.exe"=

"d:\\Program Files\\DAUM\\PotPlayer\\daumvsvr.exe"=

"d:\\Program Files\\FileZilla\\filezilla.exe"=

"d:\\Program Files\\WinScp\\WinSCP.exe"=

"c:\\Program Files\\Datecs\\FlexType 2K\\Live\\Live.exe"=

"d:\\Program Files\\DAUM\\PotPlayer\\PotPlayerMini.exe"=

"d:\\Program Files\\Opera\\Opera.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

"d:\\Program Files\\Xfire\\Xfire.exe"=

"d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"d:\\Games\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"d:\\Games\\Battlefield 1942\\BF1942.exe"=

"d:\\Games\\Cs1.6\\hl.exe"=

"d:\\Program Files\\Steam\\steamapps\\******\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26261:TCP"= 26261:TCP:PORT_26261

"29935:TCP"= 29935:TCP:PORT_29935

"53418:TCP"= 53418:TCP:PORT_53418

"20611:TCP"= 20611:TCP:PORT_20611

"23180:TCP"= 23180:TCP:PORT_23180

"57637:TCP"= 57637:TCP:PORT_57637

"19325:TCP"= 19325:TCP:PORT_19325

"12254:TCP"= 12254:TCP:PORT_12254

"13551:TCP"= 13551:TCP:PORT_13551

"13531:TCP"= 13531:TCP:PORT_13531

"52790:TCP"= 52790:TCP:PORT_52790

"29985:TCP"= 29985:TCP:PORT_29985

"30293:TCP"= 30293:TCP:PORT_30293

"32945:TCP"= 32945:TCP:PORT_32945

"32915:TCP"= 32915:TCP:PORT_32915

"53598:TCP"= 53598:TCP:PORT_53598

"42997:TCP"= 42997:TCP:PORT_42997

"64656:TCP"= 64656:TCP:PORT_64656

"42688:TCP"= 42688:TCP:PORT_42688

"13091:TCP"= 13091:TCP:PORT_13091

"61626:TCP"= 61626:TCP:PORT_61626

"53829:TCP"= 53829:TCP:PORT_53829

"47423:TCP"= 47423:TCP:PORT_47423

"9250:TCP"= 9250:TCP:PORT_9250

"17810:TCP"= 17810:TCP:PORT_17810

"6142:TCP"= 6142:TCP:PORT_6142

"14637:TCP"= 14637:TCP:PORT_14637

"63832:TCP"= 63832:TCP:PORT_63832

"43790:TCP"= 43790:TCP:PORT_43790

"17408:TCP"= 17408:TCP:PORT_17408

"17300:TCP"= 17300:TCP:PORT_17300

"12926:TCP"= 12926:TCP:PORT_12926

"43593:TCP"= 43593:TCP:PORT_43593

"41101:TCP"= 41101:TCP:PORT_41101

"45716:TCP"= 45716:TCP:PORT_45716

"50689:TCP"= 50689:TCP:PORT_50689

"16581:TCP"= 16581:TCP:PORT_16581

"53976:TCP"= 53976:TCP:PORT_53976

"9711:TCP"= 9711:TCP:PORT_9711

"44559:TCP"= 44559:TCP:PORT_44559

"37016:TCP"= 37016:TCP:PORT_37016

"7696:TCP"= 7696:TCP:PORT_7696

"50137:TCP"= 50137:TCP:PORT_50137

"52875:TCP"= 52875:TCP:PORT_52875

"24644:TCP"= 24644:TCP:PORT_24644

"31736:TCP"= 31736:TCP:PORT_31736

"61016:TCP"= 61016:TCP:PORT_61016

"19285:TCP"= 19285:TCP:PORT_19285

"27388:TCP"= 27388:TCP:PORT_27388

"27301:TCP"= 27301:TCP:PORT_27301

"22654:TCP"= 22654:TCP:PORT_22654

"38779:TCP"= 38779:TCP:PORT_38779

"27806:TCP"= 27806:TCP:PORT_27806

"34231:TCP"= 34231:TCP:PORT_34231

"30853:TCP"= 30853:TCP:PORT_30853

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]

R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-04 603904]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

S0 Fac13;Fac13;c:\windows\system32\Drivers\Fac13.sys --> c:\windows\system32\Drivers\Fac13.sys [?]

S0 Klf28;Klf28;c:\windows\system32\Drivers\Klf28.sys --> c:\windows\system32\Drivers\Klf28.sys [?]

S0 Nuc76;Nuc76;c:\windows\system32\Drivers\Nuc76.sys --> c:\windows\system32\Drivers\Nuc76.sys [?]

S0 Xix68;Xix68;c:\windows\system32\Drivers\Xix68.sys --> c:\windows\system32\Drivers\Xix68.sys [?]

S0 Xyl73;Xyl73;c:\windows\system32\Drivers\Xyl73.sys --> c:\windows\system32\Drivers\Xyl73.sys [?]

S2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice --> c:\xampp\apache\bin\apache.exe [?]

S3 ATE_PROCMON;ATE_PROCMON;\??\d:\program files\Anti Trojan Elite\ATEPMon.sys --> d:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2008-07-20 83208]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2008-07-20 15112]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2008-07-20 108680]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2008-07-20 100488]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2008-07-20 98568]

S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w550obex.sys --> c:\windows\system32\DRIVERS\w550obex.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 22:36]

2009-02-13 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.daemon-search.com/startpage

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://abv.bg/

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {8FA0F6D4-F36A-4628-BF44-AC7B3E025301} = 195.24.90.1

TCP: {A05B4148-C4CF-438F-A089-EDB9CDFC6528} = 195.24.90.1 195.24.88.1

FF - ProfilePath - c:\documents and settings\JH347JHV\Application Data\Mozilla\Firefox\Profiles\u2qlv9tj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Ask

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=

FF - component: c:\documents and settings\JH347JHV\Application Data\Mozilla\Firefox\Profiles\u2qlv9tj.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampPlayer.dll

FF - component: c:\documents and settings\JH347JHV\Application Data\Mozilla\Firefox\Profiles\u2qlv9tj.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll

FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-14 00:02:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP0000001EE67F1CC45FC1DE81 524288 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E471DEDA-1B85-1B33-A929-D1C8EE32AB6A}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"abhcfppoibinfjempopimgbnopnhiokhdi"=hex:6a,61,64,65,64,69,67,62,67,62,66,68,

66,65,61,6b,6a,61,64,66,00,66

"pandhnpmcpgdkjloijcjbhmffcellepb"=hex:6a,61,64,65,64,69,67,62,67,62,66,68,66,

65,61,6b,6a,61,64,66,00,66

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:dc,2c,6d,7b,60,bf,a9,6c,a5,c7,42,fd,24,85,bc,f0,f8,93,d1,e0,88,9d,ee,

6f,bd,44,c5,db,97,7b,4e,51,1f,69,d1,e9,ce,4f,aa,2f,77,af,52,bf,1c,35,3c,7d,\

"??"=hex:a5,91,c3,bd,cd,99,6e,b4,48,48,43,d2,53,37,83,2a

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)

d:\program files\AlienGUIse\fastload.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

.

**************************************************************************

.

Completion time: 2009-02-14 0:07:03 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-13 22:06:30

Pre-Run: 907,771,904 bytes free

Post-Run: 1,237,499,904 bytes free

316

Специализирани инструменти за почистване:

1. Microsoft Malicious Software Removal Tool

2. EConfickerRemover (10x Fixer за файла)

3. McaFee Avert Stinger

4. Symantec FixDownloadup

5. Kaspersky KidoKiller

Добре е да се инсталират и следните актуализации:

- MS09-001

- MS08-068

- MS08-067

Няма да е лошо все пак да изпълниш и съветите на колегите => Nologo и Fixer и да публикуваш логовете от MBAM и ComboFix.

Ето лог и от EconfickerRemover:

Win32/Conficker worm Removal Tool build: Jan 21 2009 © 2009 ESET, spol. s r.o.

Usage: EConfickerRemover.exe <options>

Options: -autoclean - clean automatically without confirmation

-reboot - reboot machine after successful cleaning

Win32/Conficker worm has not been found active in the memory.

Do you want to perform scanning and cleaning anyway? (y/n)

Сега:

1. Изтегли: RootRepeal

2. Разархивирай програмата в самостоятелна папка: C:\RootRepeal

3. Стартирай програмата и отиди на Report и избери Scan

4. Сложи отметки на всички редове, а на дяловете само на C:\

5. След, като сканирането приключи, кликни на Save Report и го запамети на избрано от теб място.

6. Копирай лог файла и го постави в следващия си пост тук.

П.П.: Излизам малко в почивка, прехвърлям случая ти на B-Boy[styLe] или на mihnev_sz.

Редактирано 14 февруари 200917 г. от Fixer (преглед на промените)

Сега:

1. Изтегли: RootRepeal

2. Разархивирай програмата в самостоятелна папка: C:\RootRepeal

3. Стартирай програмата и отиди на Report и избери Scan

4. Сложи отметки на всички редове, а на дяловете само на C:\

5. След, като сканирането приключи, кликни на Save Report и го запамети на избрано от теб място.

6. Копирай лог файла и го постави в следващия си пост тук.

Ето лога:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/14 00:49

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF73C7000 Size: 187776 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2269184 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xF3B05000 Size: 138496 File Visible: -

Status: -

Name: agj1shc9.SYS

Image Path: C:\WINDOWS\System32\Drivers\agj1shc9.SYS

Address: 0xF5EE8000 Size: 221184 File Visible: -

Status: -

Name: agp440.sys

Image Path: agp440.sys

Address: 0xF758E000 Size: 42368 File Visible: -

Status: -

Name: ALCXWDM.SYS

Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS

Address: 0xF5F42000 Size: 4108992 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF7359000 Size: 98304 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0x00000000 Size: 0 File Visible: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF7BB9000 Size: 3072 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF7A64000 Size: 4224 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF793E000 Size: 12288 File Visible: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF778E000 Size: 63744 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF768E000 Size: 49536 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF756E000 Size: 53248 File Visible: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF755E000 Size: 36352 File Visible: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF7371000 Size: 153344 File Visible: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF7A34000 Size: 5888 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF76AE000 Size: 61440 File Visible: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF39CD000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A6A000 Size: 8192 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF5EAD000 Size: 12288 File Visible: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7BCF000 Size: 4096 File Visible: -

Status: -

Name: e100b325.sys

Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys

Address: 0xF6365000 Size: 117760 File Visible: -

Status: -

Name: eamon.sys

Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys

Address: 0xBA1FA000 Size: 315392 File Visible: -

Status: -

Name: easdrv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\easdrv.sys

Address: 0xF776E000 Size: 45056 File Visible: -

Status: -

Name: epfwtdir.sys

Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

Address: 0xF772E000 Size: 49152 File Visible: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF774E000 Size: 34944 File Visible: -

Status: -

Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF733A000 Size: 124800 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF7A62000 Size: 7936 File Visible: -

Status: -

Name: fsvga.sys

Image Path: C:\WINDOWS\system32\DRIVERS\fsvga.sys

Address: 0xF7A16000 Size: 12160 File Visible: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7397000 Size: 125056 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x80701000 Size: 134400 File Visible: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xB9C3F000 Size: 263040 File Visible: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF766E000 Size: 52736 File Visible: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF767E000 Size: 41856 File Visible: -

Status: -

Name: intelide.sys

Image Path: intelide.sys

Address: 0xF7A32000 Size: 5504 File Visible: -

Status: -

Name: intelppm.sys

Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Address: 0xF764E000 Size: 36096 File Visible: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xF3A49000 Size: 134912 File Visible: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xF4BB0000 Size: 74752 File Visible: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF752E000 Size: 35840 File Visible: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF7876000 Size: 24576 File Visible: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7A2E000 Size: 8192 File Visible: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xB8D6E000 Size: 171776 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF632E000 Size: 143360 File Visible: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7311000 Size: 92032 File Visible: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF7A66000 Size: 4224 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF786E000 Size: 23040 File Visible: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF753E000 Size: 42240 File Visible: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0xBA26F000 Size: 181248 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xF3A6A000 Size: 453632 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF7916000 Size: 19072 File Visible: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF76EE000 Size: 35072 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF7210000 Size: 15488 File Visible: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF723C000 Size: 107904 File Visible: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7257000 Size: 182912 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF7A1A000 Size: 9600 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xBA7B8000 Size: 12928 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xF5ED1000 Size: 91776 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF770E000 Size: 38016 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF773E000 Size: 34560 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xF3B27000 Size: 162816 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF791E000 Size: 30848 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7284000 Size: 574592 File Visible: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2269184 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7C39000 Size: 2944 File Visible: -

Status: -

Name: nv4_disp.dll

Image Path: C:\WINDOWS\System32\nv4_disp.dll

Address: 0xBF012000 Size: 6111232 File Visible: -

Status: -

Name: nv4_mini.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

Address: 0xF63B9000 Size: 6557408 File Visible: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Address: 0xF6351000 Size: 80128 File Visible: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF77B6000 Size: 18688 File Visible: -

Status: -

Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xF7ABA000 Size: 6784 File Visible: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF73B6000 Size: 68224 File Visible: -

Status: -

Name: PCI_PNP5834

Image Path: \Driver\PCI_PNP5834

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7AF6000 Size: 3328 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF77AE000 Size: 28672 File Visible: -

Status: -

Name: pfc.sys

Image Path: C:\WINDOWS\system32\drivers\pfc.sys

Address: 0xF79FE000 Size: 10368 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2269184 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF5F1E000 Size: 147456 File Visible: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xF5E98000 Size: 69120 File Visible: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF78DE000 Size: 17792 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF757E000 Size: 35712 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xF79EE000 Size: 8832 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF76BE000 Size: 51328 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF76CE000 Size: 41472 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF76DE000 Size: 48384 File Visible: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF78E6000 Size: 16512 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2269184 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xF3AD9000 Size: 176512 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF7A68000 Size: 4224 File Visible: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xF5E67000 Size: 196864 File Visible: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF769E000 Size: 57472 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xBA5A8000 Size: 45056 File Visible: No

Status: -

Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS

Address: 0xF73F5000 Size: 98304 File Visible: -

Status: -

Name: secdrv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys

Address: 0xB9FC8000 Size: 163584 File Visible: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xF79FA000 Size: 15488 File Visible: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xF765E000 Size: 64896 File Visible: -

Status: -

Name: spjo.sys

Image Path: spjo.sys

Address: 0xF740D000 Size: 1048576 File Visible: No

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF7328000 Size: 73472 File Visible: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xBA180000 Size: 333184 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7A5E000 Size: 4352 File Visible: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xBA608000 Size: 60800 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xF4B58000 Size: 359040 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF78D6000 Size: 20480 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF76FE000 Size: 40704 File Visible: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF5E33000 Size: 209408 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF7A60000 Size: 8192 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF771E000 Size: 57600 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF6382000 Size: 143360 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF7866000 Size: 20480 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF790E000 Size: 20992 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF63A5000 Size: 81920 File Visible: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF754E000 Size: 52352 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF775E000 Size: 34560 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF7936000 Size: 20480 File Visible: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xBA4A3000 Size: 82944 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1839104 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1839104 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS

Address: 0xF7A30000 Size: 8192 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2269184 File Visible: -

Status: -

направих това което ми препоръча B-boy[style] и след това сканирах с Avira и после сканирах с ComboFix и това се получи:дано съм направил всичко както трябва.

log.txt

Редактирано 14 февруари 200917 г. от menko (преглед на промените)

Ето лог от ComboFix:

ComboFix 09-02-12.03 - VASIL 2009-02-14 9:26:33.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1251.1.1033.18.1918.1084 [GMT 2:00]

Running from: c:\users\VASIL\Desktop\combofix.exe

Command switches used :: /killall

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

.

((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))

.

2009-02-13 20:42 . 2009-02-13 20:43 <DIR> d-------- C:\HiJackThis

2009-02-13 19:15 . 2009-02-13 19:16 <DIR> d--h----- C:\$AVG8.VAULT$

2009-02-13 17:32 . 2009-02-14 02:50 <DIR> d-------- c:\windows\System32\drivers\Avg

2009-02-13 17:32 . 2009-02-13 17:32 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys

2009-02-13 17:32 . 2009-02-13 17:32 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys

2009-02-13 17:32 . 2009-02-13 17:32 12,552 --a------ c:\windows\System32\drivers\avgrkx86.sys

2009-02-13 17:32 . 2009-02-13 17:32 10,520 --a------ c:\windows\System32\avgrsstx.dll

2009-02-13 17:31 . 2009-02-13 17:31 <DIR> d-------- c:\users\All Users\avg8

2009-02-13 17:31 . 2009-02-13 17:31 <DIR> d-------- c:\programdata\avg8

2009-02-13 17:31 . 2009-02-13 17:31 23,832 --a------ c:\windows\System32\drivers\avgfwd6x.sys

2009-02-13 17:27 . 2008-06-20 03:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll

2009-02-13 17:27 . 2008-06-20 03:14 622,080 --a------ c:\windows\System32\icardagt.exe

2009-02-13 17:27 . 2008-06-20 03:14 326,160 --a------ c:\windows\System32\PresentationHost.exe

2009-02-13 17:27 . 2008-06-20 03:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll

2009-02-13 17:27 . 2008-06-20 03:14 97,800 --a------ c:\windows\System32\infocardapi.dll

2009-02-13 17:27 . 2008-06-20 03:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll

2009-02-13 17:27 . 2008-06-20 03:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl

2009-02-13 17:27 . 2008-06-20 03:14 11,264 --a------ c:\windows\System32\icardres.dll

2009-02-13 17:22 . 2008-07-27 20:03 282,112 --a------ c:\windows\System32\mscoree.dll

2009-02-13 17:22 . 2008-07-27 20:03 158,720 --a------ c:\windows\System32\mscorier.dll

2009-02-13 17:22 . 2008-07-27 20:03 96,760 --a------ c:\windows\System32\dfshim.dll

2009-02-13 17:22 . 2008-07-27 20:03 83,968 --a------ c:\windows\System32\mscories.dll

2009-02-13 17:22 . 2008-07-27 20:03 41,984 --a------ c:\windows\System32\netfxperf.dll

2009-02-13 17:21 . 2008-12-05 06:32 428,544 --a------ c:\windows\System32\EncDec.dll

2009-02-13 17:21 . 2008-12-05 06:32 293,376 --a------ c:\windows\System32\psisdecd.dll

2009-02-13 17:21 . 2008-12-05 06:31 217,088 --a------ c:\windows\System32\psisrndr.ax

2009-02-13 17:21 . 2008-12-05 06:31 177,664 --a------ c:\windows\System32\mpg2splt.ax

2009-02-13 17:21 . 2008-12-05 06:31 80,896 --a------ c:\windows\System32\MSNP.ax

2009-02-13 15:51 . 2009-02-13 15:51 <DIR> d-------- c:\users\VASIL\AppData\Roaming\Malwarebytes

2009-02-13 15:51 . 2009-02-13 15:51 <DIR> d-------- c:\users\All Users\Malwarebytes

2009-02-13 15:51 . 2009-02-13 15:51 <DIR> d-------- c:\programdata\Malwarebytes

2009-02-13 15:51 . 2009-02-13 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-13 15:51 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys

2009-02-13 15:51 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys

2009-02-13 14:36 . 2009-02-13 14:36 <DIR> d-------- c:\program files\Java

2009-02-13 14:36 . 2009-02-13 14:36 410,984 --a------ c:\windows\System32\deploytk.dll

2009-02-13 14:22 . 2009-02-13 14:22 0 --ah----- c:\users\Default.LOG2

2009-02-13 14:22 . 2009-02-13 14:22 0 --ah----- c:\users\Default.LOG1

2009-02-13 14:22 . 2009-02-13 14:22 0 --ah----- C:\ProgramData.LOG2

2009-02-13 14:22 . 2009-02-13 14:22 0 --ah----- C:\ProgramData.LOG1

2009-02-13 14:09 . 2009-02-13 14:09 170 --a------ C:\install.dat

2009-02-13 12:44 . 2009-02-13 12:44 <DIR> d-------- c:\program files\Alwil Software

2009-02-12 00:02 . 2009-01-15 05:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb

2009-02-12 00:02 . 2009-01-15 08:11 827,392 --a------ c:\windows\System32\wininet.dll

2009-02-11 21:00 . 2009-02-11 21:00 <DIR> d-------- c:\users\Desktop

2009-02-10 14:10 . 2009-02-10 14:10 <DIR> d-------- c:\program files\Skype

2009-02-10 14:10 . 2009-02-10 14:10 <DIR> d-------- c:\program files\Common Files\Skype

2009-02-09 19:41 . 2009-02-09 19:41 <DIR> d-------- c:\windows\Google Earth Pro 4.2

2009-02-09 19:41 . 2009-02-09 19:43 <DIR> d-------- c:\program files\Google Earth Pro 4.2

2009-02-09 16:55 . 2009-02-09 16:55 <DIR> d-------- c:\users\Public\Dictionary

2009-02-08 10:01 . 2009-02-08 21:55 <DIR> d-------- c:\users\VASIL\New Folder

2009-02-02 12:11 . 2009-02-02 12:14 <DIR> d-------- c:\users\VASIL\AppData\Roaming\cr3

2009-01-30 13:22 . 2009-01-30 13:22 <DIR> d-------- c:\users\All Users\Blizzard

2009-01-30 13:22 . 2009-01-30 13:22 <DIR> d-------- c:\programdata\Blizzard

2009-01-30 13:13 . 2009-01-30 13:13 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment

2009-01-27 16:24 . 2006-07-03 10:31 94,208 --a------ c:\windows\amcap.exe

2009-01-27 16:24 . 2005-11-23 13:55 53,248 --a------ c:\windows\System32\csnp325.dll

2009-01-27 16:24 . 2007-07-11 16:09 20,480 --a------ c:\windows\FixCamera.exe

2009-01-25 11:14 . 2009-01-25 11:14 <DIR> d-------- c:\program files\First Strike Gamepad

2009-01-25 11:14 . 2002-12-26 15:57 86,016 --a------ c:\windows\System32\FCVAP.dll

2009-01-25 11:14 . 2002-12-26 15:57 65,536 --a------ c:\windows\System32\EZFRD.dll

2009-01-20 15:12 . 2009-01-20 15:12 <DIR> d-------- c:\program files\AVG

2009-01-14 18:44 . 2009-02-14 03:51 98,397 --a------ c:\users\All Users\nvModes.dat

2009-01-14 18:44 . 2009-02-14 03:51 98,397 --a------ c:\programdata\nvModes.dat

2009-01-14 08:15 . 2008-12-16 04:42 288,768 --a------ c:\windows\System32\drivers\srv.sys

2009-01-14 02:57 . 2007-09-04 18:56 164,352 --a------ c:\windows\System32\unrar.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-13 22:00 --------- d-----w c:\users\VASIL\AppData\Roaming\skypePM

2009-02-13 22:00 --------- d-----w c:\users\VASIL\AppData\Roaming\Skype

2009-02-13 15:09 --------- d-----w c:\programdata\Kaspersky Lab

2009-02-13 13:22 --------- d-----w c:\users\VASIL\AppData\Roaming\uTorrent

2009-02-13 06:20 --------- d-----w c:\program files\Google

2009-02-12 01:00 --------- d-----w c:\program files\Windows Mail

2009-02-11 18:59 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-11 18:59 --------- d-----w c:\program files\CyberLink

2009-02-10 12:10 --------- d-----w c:\programdata\Skype

2009-02-04 16:19 --------- d-----w c:\users\VASIL\AppData\Roaming\CyberLink

2009-01-17 08:54 --------- d-----w c:\programdata\NVIDIA

2009-01-14 08:40 82,133 ----a-w c:\users\VASIL\AppData\Roaming\nvModes.dat

2009-01-14 00:57 --------- d-----w c:\program files\K-Lite Codec Pack

2009-01-14 00:49 --------- d-----w c:\program files\AviSynth 2.5

2009-01-14 00:47 --------- d-----w c:\program files\Gabest

2009-01-13 12:13 --------- d-----w c:\program files\Xvid

2009-01-11 19:29 --------- d-----w c:\programdata\ESET

2009-01-08 21:22 --------- d-----w c:\programdata\WindowsSearch

2008-12-27 21:15 --------- d-----w c:\program files\AVIConverter

2008-12-27 08:50 --------- d-----w c:\users\VASIL\AppData\Roaming\Teleca

2008-12-27 08:45 --------- d-----w c:\users\VASIL\AppData\Roaming\Sony Ericsson

2008-12-27 08:45 --------- d-----w c:\programdata\Teleca

2008-12-27 08:45 --------- d-----w c:\programdata\Sony Ericsson

2008-12-27 08:45 --------- d-----w c:\program files\Sony Ericsson

2008-12-27 08:45 --------- d-----w c:\program files\Common Files\Teleca Shared

2008-12-27 08:45 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared

2008-12-26 07:27 --------- d-----w c:\users\VASIL\AppData\Roaming\DAEMON Tools

2008-12-22 22:44 --------- d-----w c:\users\VASIL\AppData\Roaming\Thinstall

2008-12-21 12:08 --------- d-----w c:\programdata\Oberon Games

2008-12-19 17:21 --------- d-----w c:\users\VASIL\AppData\Roaming\vlc

2008-12-19 17:20 --------- d-----w c:\program files\VideoLAN

2008-12-18 15:42 --------- d-----w c:\program files\Common Files\InstallShield

2008-12-15 13:56 --------- d-----w c:\programdata\CyberLink

2008-12-01 22:28 174 --sha-w c:\program files\desktop.ini

2008-11-29 15:16 56 ---ha-w c:\users\All Users\ezsidmv.dat

2008-11-29 15:16 56 ---ha-w c:\programdata\ezsidmv.dat

2008-11-29 10:40 2,560 ----a-w c:\windows\AppPatch\AcRes.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-14 482760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-13 1601304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3fhg"= mp3fhg.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"TCP Query User{C58A6455-4DA2-4FB0-A6EB-E66D1BAD9501}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype

"UDP Query User{353D721D-D109-4186-A7AB-1225DC3A3EC0}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype

"TCP Query User{970C7416-913F-42FA-B33D-F5508DE07F35}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype

"TCP Query User{CAC76BA2-27BF-4A1D-A6AC-3EA13173A433}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent

"UDP Query User{DE2AAB45-9A49-4189-98BC-844EFB3ACBF6}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent

"TCP Query User{5BCCA899-3083-4E9C-9AC5-AAFAF0D373BB}d:\\games\\cs\\hl.exe"= UDP:d:\games\cs\hl.exe:Half-Life Launcher

"UDP Query User{C64F2FD6-0107-4CF1-8120-F6364DE86770}d:\\games\\cs\\hl.exe"= TCP:d:\games\cs\hl.exe:Half-Life Launcher

"TCP Query User{A14BC2C5-C0E4-4DC2-A8C5-26A059387E26}d:\\games\\csinstalated\\hl.exe"= UDP:d:\games\csinstalated\hl.exe:Half-Life Launcher

"UDP Query User{D9638914-B46C-439B-9CB0-539F626AE72A}d:\\games\\csinstalated\\hl.exe"= TCP:d:\games\csinstalated\hl.exe:Half-Life Launcher

"TCP Query User{5C7D11F3-3851-425E-9FA0-65A4D361D191}d:\\games\\csinstalated\\hl.exe"= UDP:d:\games\csinstalated\hl.exe:Half-Life Launcher

"UDP Query User{979A2EFA-3E77-4D85-A95E-0F93BBC71C3A}d:\\games\\csinstalated\\hl.exe"= TCP:d:\games\csinstalated\hl.exe:Half-Life Launcher

"{9893AF56-31B2-43DD-B423-C4A52A17F44F}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox

"{52707CAE-8386-450E-AFAC-3D7F27E65E8D}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox

"TCP Query User{CC76C0B8-4EB6-4251-A2C8-890D4E46EAFF}d:\\games\\quake iii arena\\quake3.exe"= UDP:d:\games\quake iii arena\quake3.exe:quake3

"UDP Query User{5B4107CF-4C7C-4712-906C-F32667A220A5}d:\\games\\quake iii arena\\quake3.exe"= TCP:d:\games\quake iii arena\quake3.exe:quake3

"TCP Query User{83D2192A-E9B0-4831-A9E0-CBC136F02406}c:\\users\\vasil\\appdata\\local\\temp\\blizzard launcher temporary - 9080dbe0\\launcher.exe"= UDP:c:\users\vasil\appdata\local\temp\blizzard launcher temporary - 9080dbe0\launcher.exe:launcher.exe

"UDP Query User{7046112C-BEBA-4BF4-9E46-2A3AAE6C5887}c:\\users\\vasil\\appdata\\local\\temp\\blizzard launcher temporary - 9080dbe0\\launcher.exe"= TCP:c:\users\vasil\appdata\local\temp\blizzard launcher temporary - 9080dbe0\launcher.exe:launcher.exe

"TCP Query User{BD735BB4-942F-43F6-B2D5-32B2AEF90BFC}c:\\users\\vasil\\appdata\\local\\temp\\blizzard launcher temporary - ffbd6718\\launcher.exe"= UDP:c:\users\vasil\appdata\local\temp\blizzard launcher temporary - ffbd6718\launcher.exe:launcher.exe

"UDP Query User{BCB150A5-8E30-4B7B-BAE0-4F5DDD571305}c:\\users\\vasil\\appdata\\local\\temp\\blizzard launcher temporary - ffbd6718\\launcher.exe"= TCP:c:\users\vasil\appdata\local\temp\blizzard launcher temporary - ffbd6718\launcher.exe:launcher.exe

"{7C862E97-084B-4A55-9471-BC42296C064F}"= c:\program files\AVG\AVG8\avgam.exe:avgam.exe

"{F20A544F-72E5-4602-83ED-4EC2B3CBA67C}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe

"{C944EA12-FD7E-427D-8EF6-3EEDD96BBA5E}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe

"{FD59EEFA-97CD-48DF-8C3B-680C1E253D6F}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [2009-02-13 12552]

R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [2009-02-13 23832]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-13 325128]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-13 107272]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-13 903960]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-13 298264]

R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-02-13 1339600]

R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\System32\drivers\OA004Ufd.sys [2008-06-03 144672]

R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\System32\drivers\OA004Vid.sys [2008-07-17 269760]

S2 gupdate1c98afb3a1af780;Google Update Service (gupdate1c98afb3a1af780);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 133104]

S3 ADM8511;REPOTEC USB100 To Fast Ethernet Adapter;c:\windows\System32\drivers\ADM8511.SYS [2008-11-29 24427]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2009-02-13 38496]

S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\System32\drivers\s125bus.sys [2008-12-27 83336]

S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\System32\drivers\s125mdfl.sys [2008-12-27 15112]

S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\System32\drivers\s125mdm.sys [2008-12-27 108680]

S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s125mgmt.sys [2008-12-27 100488]

S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\System32\drivers\s125obex.sys [2008-12-27 98696]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0374278d-c1f9-11dd-9bb9-001b24ec7aa8}]

\shell\AutoRun\command - qquq.bat

\shell\explore\Command - qquq.bat

\shell\open\Command - qquq.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03742790-c1f9-11dd-9bb9-001b24ec7aa8}]

\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5942c3c3-c154-11dd-8853-001b24ec7aa8}]

\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fda1069-c793-11dd-be3c-001b24ec7aa8}]

\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fda107e-c793-11dd-be3c-001b24ec7aa8}]

\shell\AutoRun\command - H:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-09 23:11]

2009-02-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 23:13]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Internet Security Service - c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {28876572-FB22-44D8-89EE-D4A3640F1EA0} = 192.168.2.1

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

FF - ProfilePath - c:\users\VASIL\AppData\Roaming\Mozilla\Firefox\Profiles\1mnxw8rf.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-14 09:31:20

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\nvvsvc.exe

c:\windows\System32\audiodg.exe

c:\windows\System32\rundll32.exe

c:\windows\System32\wlanext.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\System32\drivers\XAudio.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\System32\conime.exe

c:\windows\System32\rundll32.exe

c:\program files\AVG\AVG8\avgtray.exe

c:\program files\Common Files\Nero\Lib\NMIndexingService.exe

c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

c:\windows\System32\wbem\WMIADAP.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2009-02-14 9:36:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-14 07:35:55

Pre-Run: 4 281 237 504 bytes free

Post-Run: 4,499,898,368 bytes free

277 --- E O F --- 2009-02-13 15:31:19

направих това което ми препоръча B-boy[style] и след това сканирах с Avira и после сканирах с ComboFix и това се получи:дано съм направил всичко както трябва.

Отвори Notepad и чрез copy/paste постави следното:

Killall::


File::

c:\documents and settings\LogMeInRemoteUser\is-MRR7S.tmp

c:\program files\BGPhon.exe

C:\Windows\System32\mmc.exe


Folder::

c:\program files\AVG

C:\$AVG8.VAULT$

c:\documents and settings\All Users\Application Data\avg8

c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

c:\Program Files\DrWeb

Запазете файла с името CFScript.txt и го поставете върху ComboFix.

След, като програмата приключи ще Ви изведе лог файла. Чрез Copy/Paste поставете информацията тук.

Както винаги все има нещо за почистване след AVG...

1. Отвори Notepad и чрез copy/paste постави следното:

Killall::


File::

C:\qquq.bat

H:\qquq.bat

F:\qquq.bat

H:\LaunchU3.exe

F:\Setup.exe


Folder::

c:\program files\Alwil Software

c:\programdata\Kaspersky Lab

c:\programdata\ESET


Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0374278d-c1f9-11dd-9bb9-001b24ec7aa8}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03742790-c1f9-11dd-9bb9-001b24ec7aa8}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5942c3c3-c154-11dd-8853-001b24ec7aa8}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fda1069-c793-11dd-be3c-001b24ec7aa8}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fda107e-c793-11dd-be3c-001b24ec7aa8}]

2. Запази файла с името CFScript.txt и го постави върху ComboFix.

3. След, като програмата приключи ще Ви изведе лог файла. Чрез Copy/Paste поставете информацията тук.

Ето логът.

log2.txt

1. Изтегли: RootRepeal

2. Разархивирай програмата в самостоятелна папка: C:\RootRepeal

3. Стартирай програмата и отиди на Report и избери Scan

4. Сложи отметки на всички редове, а на дяловете само на C:\

5. След, като сканирането приключи, кликни на Save Report и го запамети на избрано от теб място.

6. Копирай лог файла и го постави в следващия си пост тук.