Помощ при откриване и премахване на вируси, троянски коне и др., част 2

14 февруари 200917 г.

Лог от Rootrepeal:

Rootrepeal_log.txt

14 февруари 200917 г.

Направи сега това:

http://209.85.129.132/search?q=cache%3a%50...;cd=3&gl=bg

П.П.: Излизам малко в почивка, прехвърлям случая ти на B-Boy[styLe] или на mihnev_sz.

Редактирано 14 февруари 200917 г. от Fixer (преглед на промените)

14 февруари 200917 г.

За да приложиш тези инструменти, трябва първо да го извадиш от карантината на NODа иначе хем NODа не може да се справи, хем не го дава на другите.

Това и напарвих няма нищо засечено пак ето и лог от Stinger:

McAfee® Stinger Version 10.0.0.482 built on Jan 9 2009

Virus data file v1000 created on Jan 10 2009.

Ready to scan for 538 viruses, trojans and variants.

Scan initiated on Sat Feb 14 16:03:59 2009

Number of clean files: 103955

14 февруари 200917 г.

Лог от Spyware Doctor:

report_Spyware_doctor.htm

Avz нищо не откри

Log от a-squared Anti-Malware:

a_squared_report.txt

Редактирано 14 февруари 200917 г. от TuPuoH (преглед на промените)

14 февруари 200917 г.

Добре де виж му пътечката, отиди където се е установил и го изтрий ръчно.

14 февруари 200917 г.

Не ми харесва лога на ComboFix.

Отвори notepad и въведи:

Killall::


Rootkit::

c:\windows\TEMP\TMP0000001EE67F1CC45FC1DE81


Driver::

Fac13

Klf28

Nuc76

Xix68

Xyl73


File::

c:\windows\system32\Drivers\Fac13.sys

c:\windows\system32\Drivers\Klf28.sys

c:\windows\system32\Drivers\Nuc76.sys

c:\windows\system32\Drivers\Xix68.sys

c:\windows\system32\Drivers\Xyl73.sys


Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fac13.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Klf28.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nuc76.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xix68.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xyl73.sys]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26261:TCP"=-

"29935:TCP"=-

"53418:TCP"=-

"20611:TCP"=-

"23180:TCP"=-

"57637:TCP"=-

"19325:TCP"=-

"12254:TCP"=-

"13551:TCP"=-

"13531:TCP"=-

"52790:TCP"=-

"29985:TCP"=-

"30293:TCP"=-

"32945:TCP"=-

"32915:TCP"=-

"53598:TCP"=-

"42997:TCP"=-

"64656:TCP"=-

"42688:TCP"=-

"13091:TCP"=-

"61626:TCP"=-

"53829:TCP"=-

"47423:TCP"=-

"9250:TCP"=-

"17810:TCP"=-

"6142:TCP"=-

"14637:TCP"=-

"63832:TCP"=-

"43790:TCP"=-

"17408:TCP"=-

"17300:TCP"=-

"12926:TCP"=-

"43593:TCP"=-

"41101:TCP"=-

"45716:TCP"=-

"50689:TCP"=-

"16581:TCP"=-

"53976:TCP"=-

"9711:TCP"=-

"44559:TCP"=-

"37016:TCP"=-

"7696:TCP"=-

"50137:TCP"=-

"52875:TCP"=-

"24644:TCP"=-

"31736:TCP"=-

"61016:TCP"=-

"19285:TCP"=-

"27388:TCP"=-

"27301:TCP"=-

"22654:TCP"=-

"38779:TCP"=-

"27806:TCP"=-

"34231:TCP"=-

"30853:TCP"=-


RegLock::

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]


RegNull::

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E471DEDA-1B85-1B33-A929-D1C8EE32AB6A}*]

Запази файла с име CFScript и го провлачи в иконата на ComboFix

Къде са логовете от най=важните програми - Malwarebytes Anti-Malware, Symantec FixDownloadup, Kaspersky KidoKiller,Microsoft Malicious Software Removal Tool ?

Лога за инструмента на Microsoft се намира в C:\WINDOWS\Debug\mrt.log .

Инсталира ли актуализациите, които посочих ?

Ако NOD32 не е легален препоръчвам неговата деинсталация и инсталирането на някоя безплатна програма като Avira, avast! или AVG !

14 февруари 200917 г.

Не ми харесва лога на ComboFix.

Отвори notepad и въведи:

Killall::


Rootkit::

c:\windows\TEMP\TMP0000001EE67F1CC45FC1DE81


Driver::

Fac13

Klf28

Nuc76

Xix68

Xyl73


File::

c:\windows\system32\Drivers\Fac13.sys

c:\windows\system32\Drivers\Klf28.sys

c:\windows\system32\Drivers\Nuc76.sys

c:\windows\system32\Drivers\Xix68.sys

c:\windows\system32\Drivers\Xyl73.sys


Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fac13.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Klf28.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nuc76.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xix68.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xyl73.sys]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26261:TCP"=-

"29935:TCP"=-

"53418:TCP"=-

"20611:TCP"=-

"23180:TCP"=-

"57637:TCP"=-

"19325:TCP"=-

"12254:TCP"=-

"13551:TCP"=-

"13531:TCP"=-

"52790:TCP"=-

"29985:TCP"=-

"30293:TCP"=-

"32945:TCP"=-

"32915:TCP"=-

"53598:TCP"=-

"42997:TCP"=-

"64656:TCP"=-

"42688:TCP"=-

"13091:TCP"=-

"61626:TCP"=-

"53829:TCP"=-

"47423:TCP"=-

"9250:TCP"=-

"17810:TCP"=-

"6142:TCP"=-

"14637:TCP"=-

"63832:TCP"=-

"43790:TCP"=-

"17408:TCP"=-

"17300:TCP"=-

"12926:TCP"=-

"43593:TCP"=-

"41101:TCP"=-

"45716:TCP"=-

"50689:TCP"=-

"16581:TCP"=-

"53976:TCP"=-

"9711:TCP"=-

"44559:TCP"=-

"37016:TCP"=-

"7696:TCP"=-

"50137:TCP"=-

"52875:TCP"=-

"24644:TCP"=-

"31736:TCP"=-

"61016:TCP"=-

"19285:TCP"=-

"27388:TCP"=-

"27301:TCP"=-

"22654:TCP"=-

"38779:TCP"=-

"27806:TCP"=-

"34231:TCP"=-

"30853:TCP"=-


RegLock::

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]


RegNull::

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E471DEDA-1B85-1B33-A929-D1C8EE32AB6A}*]

Запази файла с име CFScript и го провлачи в иконата на ComboFix

Къде са логовете от най=важните програми - Malwarebytes Anti-Malware, Symantec FixDownloadup, Kaspersky KidoKiller,Microsoft Malicious Software Removal Tool ?

Лога за инструмента на Microsoft се намира в C:\WINDOWS\Debug\mrt.log .

Инсталира ли актуализациите, които посочих ?

Ако NOD32 не е легален препоръчвам неговата деинсталация и инсталирането на някоя безплатна програма като Avira, avast! или AVG !

Ето лога:

Comboxi

ComboFix 09-02-12.03 - JH347JHV 2009-02-14 20:52:37.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.767.319 [GMT 2:00]

Running from: c:\documents and settings\JH347JHV\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\JH347JHV\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\windows\system32\Drivers\Fac13.sys

c:\windows\system32\Drivers\Klf28.sys

c:\windows\system32\Drivers\Nuc76.sys

c:\windows\system32\Drivers\Xix68.sys

c:\windows\system32\Drivers\Xyl73.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FAC13

-------\Legacy_NUC76

-------\Service_Fac13

-------\Service_Klf28

-------\Service_Nuc76

-------\Service_Xix68

-------\Service_Xyl73

((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))

.

2009-02-14 00:48 . 2009-02-14 00:49 <DIR> d-------- C:\RootRepeal

2009-02-14 00:13 . 2008-10-24 13:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-01-27 23:37 . 2001-08-23 14:00 218,112 --a--c--- c:\windows\system32\dllcache\c_g18030.dll

2009-01-26 00:37 . 2009-01-26 00:37 <DIR> d--hs---- c:\documents and settings\JH347JHV\PrivacIE

2009-01-25 23:47 . 2009-01-25 23:48 <DIR> d--h-c--- c:\windows\ie8

2009-01-21 00:52 . 2009-01-21 00:52 <DIR> d-------- c:\documents and settings\postgres

2009-01-21 00:47 . 2009-01-21 00:47 <DIR> d-------- c:\program files\PostgreSQL

2009-01-20 19:49 . 2009-01-20 19:49 <DIR> d-------- c:\program files\Winamp Toolbar

2009-01-20 19:49 . 2009-01-20 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winamp Toolbar

2009-01-16 08:51 . 2009-01-16 09:03 <DIR> d-------- c:\documents and settings\JH347JHV\Application Data\Belkasoft

2009-01-16 00:17 . 2009-01-16 00:17 <DIR> d-------- c:\documents and settings\JH347JHV\Gadu-Gadu

2009-01-15 10:37 . 2009-01-15 10:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-14 18:58 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Xfire

2009-02-14 18:55 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Skype

2009-02-14 14:06 --------- d-----w c:\documents and settings\JH347JHV\Application Data\skypePM

2009-02-13 22:22 --------- d-----w c:\documents and settings\JH347JHV\Application Data\zweitgeist

2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 17:44 --------- d-----w c:\documents and settings\JH347JHV\Application Data\GanymedeNet

2009-02-08 16:56 --------- d-----w c:\documents and settings\JH347JHV\Application Data\GSC

2009-02-07 23:41 --------- d-----w c:\program files\TuneUp Utilities 2009

2009-01-20 17:52 --------- d-----w c:\program files\Winamp

2009-01-20 17:52 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Winamp

2009-01-18 13:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-14 19:11 --------- d-----w c:\program files\XAimer

2009-01-11 13:07 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-10 16:58 --------- d-----w c:\documents and settings\JH347JHV\Application Data\IObit

2009-01-02 14:12 --------- d-----w c:\program files\Acoustica Mixcraft 4

2008-12-29 21:49 --------- d-----w c:\documents and settings\JH347JHV\Application Data\BSplayer PRO

2008-12-27 14:30 --------- d-----w c:\program files\StealthBotBot

2008-12-27 01:30 70,656 ----a-w c:\windows\ScUnin.exe

2008-12-25 08:20 --------- d-----w c:\program files\DAEMON Tools Lite

2008-12-24 20:03 --------- d-----w c:\program files\DAEMON Tools Toolbar

2008-12-24 20:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\DAEMON Tools Pro

2008-12-24 20:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\DAEMON Tools Lite

2008-12-24 20:03 --------- d-----w c:\documents and settings\JH347JHV\Application Data\DAEMON Tools

2008-12-24 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2008-12-20 19:01 --------- d-----w c:\program files\Vuze

2008-12-20 19:01 --------- d-----w c:\program files\Mail.Ru

2008-12-20 18:44 737,280 ----a-w c:\windows\iun6002.exe

2008-12-17 22:58 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Azureus

2008-12-17 22:46 --------- d-----w c:\program files\AskSearch

2008-12-17 22:46 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus

2008-12-15 19:15 --------- d-----w c:\program files\Java

2008-12-14 21:38 --------- d-----w c:\documents and settings\JH347JHV\Application Data\Mra

2008-12-14 17:56 --------- d-----w c:\documents and settings\JH347JHV\Application Data\vlc

2008-11-30 13:54 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe

2007-09-08 09:39 22,328 ----a-w c:\documents and settings\JH347JHV\Application Data\PnkBstrK.sys

2008-04-27 21:00 65,536 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042120080428\index.dat

2008-04-27 21:00 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat

2008-04-28 19:55 65,536 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat

2008-04-29 20:58 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat

2008-04-30 20:55 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008043020080501\index.dat

2008-04-30 23:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050120080502\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-02-14_ 0.05.14.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys

+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2006-07-14 15:31:39 332,288 -c--a-w c:\windows\system32\dllcache\netapi32.dll

+ 2008-10-15 16:57:55 332,800 -c--a-w c:\windows\system32\dllcache\netapi32.dll

- 2004-08-04 12:00:00 336,256 -c--a-w c:\windows\system32\dllcache\srv.sys

+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys

- 2004-08-04 12:00:00 451,456 ----a-w c:\windows\system32\drivers\mrxsmb.sys

+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

- 2004-08-04 12:00:00 336,256 ----a-w c:\windows\system32\drivers\srv.sys

+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys

- 2009-01-09 15:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe

+ 2009-02-11 18:56:18 21,244,872 ----a-w c:\windows\system32\MRT.exe

- 2006-07-14 15:31:39 332,288 ----a-w c:\windows\system32\netapi32.dll

+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll

+ 2009-02-14 18:58:03 16,384 ----atw c:\windows\temp\Perflib_Perfdata_234.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

"Analogue Vista Clock"="d:\program files\Analogue Vista Clock\Analogue Vista Clock.exe" [2008-12-21 289280]

"SMS by Jeko Ianev"="d:\program files\sms\sms.exe" [2009-01-16 5295616]

"Steam"="d:\program files\steam\steam.exe" [2009-02-11 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\JH347JHV\Start Menu\Programs\Startup\

Xfire.lnk - d:\program files\Xfire\Xfire.exe [2009-01-15 2993488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\program files\Datecs\FlexType 2K\FType2K.exe [2007-08-15 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSecurityTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

2001-12-20 21:34 24576 d:\program files\AlienGuise\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"nwiz"=nwiz.exe /install

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Fast Chat\\FastChat.exe"=

"d:\\Program Files\\Bitlord\\BitLord.exe"=

"d:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"d:\\Program Files\\DAUM\\PotPlayer\\PotPlayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\Operscript\\OperScRipT6.0b\\mirc.exe"=

"d:\\Program Files\\DAUM\\PotPlayer\\daumvsvr.exe"=

"d:\\Program Files\\FileZilla\\filezilla.exe"=

"d:\\Program Files\\WinScp\\WinSCP.exe"=

"c:\\Program Files\\Datecs\\FlexType 2K\\Live\\Live.exe"=

"d:\\Program Files\\DAUM\\PotPlayer\\PotPlayerMini.exe"=

"d:\\Program Files\\Opera\\Opera.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

"d:\\Program Files\\Xfire\\Xfire.exe"=

"d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"d:\\Games\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"d:\\Games\\Battlefield 1942\\BF1942.exe"=

"d:\\Games\\Cs1.6\\hl.exe"=

"d:\\Program Files\\Steam\\steamapps\\mitropa\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]

R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-04 603904]

S2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice --> c:\xampp\apache\bin\apache.exe [?]

S3 ATE_PROCMON;ATE_PROCMON;\??\d:\program files\Anti Trojan Elite\ATEPMon.sys --> d:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2008-07-20 83208]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2008-07-20 15112]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2008-07-20 108680]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2008-07-20 100488]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2008-07-20 98568]

S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w550obex.sys --> c:\windows\system32\DRIVERS\w550obex.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 22:36]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.daemon-search.com/startpage

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://abv.bg/

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {8FA0F6D4-F36A-4628-BF44-AC7B3E025301} = 195.24.90.1

TCP: {A05B4148-C4CF-438F-A089-EDB9CDFC6528} = 195.24.90.1 195.24.88.1

FF - ProfilePath - c:\documents and settings\JH347JHV\Application Data\Mozilla\Firefox\Profiles\u2qlv9tj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Ask

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=

FF - component: c:\documents and settings\JH347JHV\Application Data\Mozilla\Firefox\Profiles\u2qlv9tj.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampPlayer.dll

FF - component: c:\documents and settings\JH347JHV\Application Data\Mozilla\Firefox\Profiles\u2qlv9tj.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll

FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-14 20:58:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-287218729-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:dc,2c,6d,7b,60,bf,a9,6c,a5,c7,42,fd,24,85,bc,f0,f8,93,d1,e0,88,9d,ee,

6f,bd,44,c5,db,97,7b,4e,51,1f,69,d1,e9,ce,4f,aa,2f,77,af,52,bf,1c,35,3c,7d,\

"??"=hex:a5,91,c3,bd,cd,99,6e,b4,48,48,43,d2,53,37,83,2a

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)

d:\program files\AlienGUIse\fastload.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

c:\program files\Windows Live\Messenger\usnsvc.exe

.

**************************************************************************

.

Completion time: 2009-02-14 21:02:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-14 19:02:37

ComboFix2.txt 2009-02-13 22:07:04

Pre-Run: 1,158,066,176 bytes free

Post-Run: 1,244,524,544 bytes free

270

Microfost:

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008

Started On Wed Apr 09 22:55:44 2008

->Scan ERROR: resource process://pid:1908 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:1908 (code 0x0000054F (1359))

->Scan ERROR: resource file://D:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000D (13))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 09 22:57:31 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008

Started On Wed Apr 09 22:57:32 2008

->Scan ERROR: resource file://D:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000D (13))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 09 22:59:04 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.4, November 2008

Started On Fri Dec 05 17:12:13 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Dec 05 17:13:55 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.4, November 2008

Started On Fri Dec 05 17:54:36 2008

->Scan ERROR: resource process://pid:1768 (code 0x00000005 (5))

->Scan ERROR: resource process://pid:2104 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:2220 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:1900 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:2304 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:1368 (code 0x00000057 (87))

->Scan ERROR: resource service://TapiSrv (code 0x0000054F (1359))

->Scan ERROR: resource service://TermService (code 0x0000054F (1359))

->Scan ERROR: resource service://Themes (code 0x0000054F (1359))

->Scan ERROR: resource service://TlntSvr (code 0x0000054F (1359))

->Scan ERROR: resource service://TrkWks (code 0x0000054F (1359))

->Scan ERROR: resource service://TSDDD (code 0x0000054F (1359))

->Scan ERROR: resource service://TUWinStylerThemeSvc (code 0x0000054F (1359))

->Scan ERROR: resource service://UMWdf (code 0x0000054F (1359))

->Scan ERROR: resource service://upnphost (code 0x0000054F (1359))

->Scan ERROR: resource service://UPS (code 0x0000054F (1359))

->Scan ERROR: resource service://usnjsvc (code 0x0000054F (1359))

->Scan ERROR: resource service://VSS (code 0x0000054F (1359))

->Scan ERROR: resource service://W32Time (code 0x0000054F (1359))

->Scan ERROR: resource service://W3SVC (code 0x0000054F (1359))

->Scan ERROR: resource service://WebClient (code 0x0000054F (1359))

->Scan ERROR: resource service://winmgmt (code 0x0000054F (1359))

->Scan ERROR: resource service://Winsock (code 0x0000054F (1359))

->Scan ERROR: resource service://WinSock2 (code 0x0000054F (1359))

->Scan ERROR: resource service://WinTrust (code 0x0000054F (1359))

->Scan ERROR: resource service://WLSetupSvc (code 0x0000054F (1359))

->Scan ERROR: resource service://WmdmPmSN (code 0x0000054F (1359))

->Scan ERROR: resource service://Wmi (code 0x0000054F (1359))

->Scan ERROR: resource service://WmiApRpl (code 0x0000054F (1359))

->Scan ERROR: resource service://WmiApSrv (code 0x0000054F (1359))

->Scan ERROR: resource service://wscsvc (code 0x0000054F (1359))

->Scan ERROR: resource service://wuauserv (code 0x0000054F (1359))

->Scan ERROR: resource service://WZCSVC (code 0x0000054F (1359))

->Scan ERROR: resource service://xmlprov (code 0x0000054F (1359))

->Scan ERROR: resource service://{8FA0F6D4-F36A-4628-BF44-AC7B3E025301} (code 0x0000054F (1359))

->Scan ERROR: resource driver://Abiosdsk (code 0x0000054F (1359))

->Scan ERROR: resource driver://abp480n5 (code 0x0000054F (1359))

->Scan ERROR: resource driver://ACPI (code 0x0000054F (1359))

->Scan ERROR: resource driver://ACPIEC (code 0x0000054F (1359))

->Scan ERROR: resource driver://adpu160m (code 0x0000054F (1359))

->Scan ERROR: resource driver://aec (code 0x0000054F (1359))

->Scan ERROR: resource driver://AFD (code 0x0000054F (1359))

->Scan ERROR: resource driver://agp440 (code 0x0000054F (1359))

->Scan ERROR: resource driver://Aha154x (code 0x0000054F (1359))

->Scan ERROR: resource driver://aic78u2 (code 0x0000054F (1359))

->Scan ERROR: resource driver://aic78xx (code 0x0000054F (1359))

->Scan ERROR: resource driver://ALCXWDM (code 0x0000054F (1359))

->Scan ERROR: resource driver://AliIde (code 0x0000054F (1359))

->Scan ERROR: resource driver://amsint (code 0x0000054F (1359))

->Scan ERROR: resource driver://asc (code 0x0000054F (1359))

->Scan ERROR: resource driver://asc3350p (code 0x0000054F (1359))

->Scan ERROR: resource driver://asc3550 (code 0x0000054F (1359))

->Scan ERROR: resource driver://AsyncMac (code 0x0000054F (1359))

->Scan ERROR: resource driver://atapi (code 0x0000054F (1359))

->Scan ERROR: resource driver://Atdisk (code 0x0000054F (1359))

->Scan ERROR: resource driver://ATE_PROCMON (code 0x0000054F (1359))

->Scan ERROR: resource driver://Atmarpc (code 0x0000054F (1359))

->Scan ERROR: resource driver://audstub (code 0x0000054F (1359))

->Scan ERROR: resource driver://avgio (code 0x0000054F (1359))

->Scan ERROR: resource driver://avgntflt (code 0x0000054F (1359))

->Scan ERROR: resource driver://avipbb (code 0x0000054F (1359))

->Scan ERROR: resource driver://Beep (code 0x0000054F (1359))

->Scan ERROR: resource driver://cbidf2k (code 0x0000054F (1359))

->Scan ERROR: resource driver://cd20xrnt (code 0x0000054F (1359))

->Scan ERROR: resource driver://Cdaudio (code 0x0000054F (1359))

->Scan ERROR: resource driver://Cdfs (code 0x0000054F (1359))

->Scan ERROR: resource driver://Cdrom (code 0x0000054F (1359))

->Scan ERROR: resource driver://Changer (code 0x0000054F (1359))

->Scan ERROR: resource driver://CmdIde (code 0x0000054F (1359))

->Scan ERROR: resource driver://Cpqarray (code 0x0000054F (1359))

->Scan ERROR: resource driver://dac2w2k (code 0x0000054F (1359))

->Scan ERROR: resource driver://dac960nt (code 0x0000054F (1359))

->Scan ERROR: resource driver://Disk (code 0x0000054F (1359))

->Scan ERROR: resource driver://dmboot (code 0x0000054F (1359))

->Scan ERROR: resource driver://dmio (code 0x0000054F (1359))

->Scan ERROR: resource driver://dmload (code 0x0000054F (1359))

->Scan ERROR: resource driver://DMusic (code 0x0000054F (1359))

->Scan ERROR: resource driver://dpti2o (code 0x0000054F (1359))

->Scan ERROR: resource driver://drmkaud (code 0x0000054F (1359))

->Scan ERROR: resource driver://E100B (code 0x0000054F (1359))

->Scan ERROR: resource driver://eamon (code 0x0000054F (1359))

->Scan ERROR: resource driver://easdrv (code 0x0000054F (1359))

->Scan ERROR: resource driver://epfwtdir (code 0x0000054F (1359))

->Scan ERROR: resource driver://Fac13 (code 0x0000054F (1359))

->Scan ERROR: resource driver://Fastfat (code 0x0000054F (1359))

->Scan ERROR: resource driver://Fdc (code 0x0000054F (1359))

->Scan ERROR: resource driver://Fips (code 0x0000054F (1359))

->Scan ERROR: resource driver://Flpydisk (code 0x0000054F (1359))

->Scan ERROR: resource driver://FltMgr (code 0x0000054F (1359))

->Scan ERROR: resource driver://Ftdisk (code 0x0000054F (1359))

->Scan ERROR: resource driver://Gpc (code 0x0000054F (1359))

->Scan ERROR: resource driver://HidUsb (code 0x0000054F (1359))

->Scan ERROR: resource driver://hpn (code 0x0000054F (1359))

->Scan ERROR: resource driver://HTTP (code 0x0000054F (1359))

->Scan ERROR: resource driver://i2omgmt (code 0x0000054F (1359))

->Scan ERROR: resource driver://i2omp (code 0x0000054F (1359))

->Scan ERROR: resource driver://i8042prt (code 0x0000054F (1359))

->Scan ERROR: resource driver://Imapi (code 0x0000054F (1359))

->Scan ERROR: resource driver://ini910u (code 0x0000054F (1359))

->Scan ERROR: resource driver://IntelIde (code 0x0000054F (1359))

->Scan ERROR: resource driver://intelppm (code 0x0000054F (1359))

->Scan ERROR: resource driver://Ip6Fw (code 0x0000054F (1359))

->Scan ERROR: resource driver://IpFilterDriver (code 0x0000054F (1359))

->Scan ERROR: resource driver://IpInIp (code 0x0000054F (1359))

->Scan ERROR: resource driver://IpNat (code 0x0000054F (1359))

->Scan ERROR: resource driver://IPSec (code 0x0000054F (1359))

->Scan ERROR: resource driver://IRENUM (code 0x0000054F (1359))

->Scan ERROR: resource driver://isapnp (code 0x0000054F (1359))

->Scan ERROR: resource driver://k750bus (code 0x0000054F (1359))

->Scan ERROR: resource driver://k750mdfl (code 0x0000054F (1359))

->Scan ERROR: resource driver://k750mdm (code 0x0000054F (1359))

->Scan ERROR: resource driver://k750mgmt (code 0x0000054F (1359))

->Scan ERROR: resource driver://k750obex (code 0x0000054F (1359))

->Scan ERROR: resource driver://Kbdclass (code 0x0000054F (1359))

->Scan ERROR: resource driver://KernelPort (code 0x0000054F (1359))

->Scan ERROR: resource driver://Klf28 (code 0x0000054F (1359))

->Scan ERROR: resource driver://kmixer (code 0x0000054F (1359))

->Scan ERROR: resource driver://KSecDD (code 0x0000054F (1359))

->Scan ERROR: resource driver://lbrtfdc (code 0x0000054F (1359))

->Scan ERROR: resource driver://mnmdd (code 0x0000054F (1359))

->Scan ERROR: resource driver://Modem (code 0x0000054F (1359))

->Scan ERROR: resource driver://Mouclass (code 0x0000054F (1359))

->Scan ERROR: resource driver://mouhid (code 0x0000054F (1359))

->Scan ERROR: resource driver://MountMgr (code 0x0000054F (1359))

->Scan ERROR: resource driver://mraid35x (code 0x0000054F (1359))

->Scan ERROR: resource driver://MRxDAV (code 0x0000054F (1359))

->Scan ERROR: resource driver://MRxSmb (code 0x0000054F (1359))

->Scan ERROR: resource driver://Msfs (code 0x0000054F (1359))

->Scan ERROR: resource driver://MSKSSRV (code 0x0000054F (1359))

->Scan ERROR: resource driver://MSPCLOCK (code 0x0000054F (1359))

->Scan ERROR: resource driver://MSPQM (code 0x0000054F (1359))

->Scan ERROR: resource driver://mssmbios (code 0x0000054F (1359))

->Scan ERROR: resource driver://Mup (code 0x0000054F (1359))

->Scan ERROR: resource driver://NDIS (code 0x0000054F (1359))

->Scan ERROR: resource driver://NdisTapi (code 0x0000054F (1359))

->Scan ERROR: resource driver://Ndisuio (code 0x0000054F (1359))

->Scan ERROR: resource driver://NdisWan (code 0x0000054F (1359))

->Scan ERROR: resource driver://NDProxy (code 0x0000054F (1359))

->Scan ERROR: resource driver://NetBIOS (code 0x0000054F (1359))

->Scan ERROR: resource driver://NetBT (code 0x0000054F (1359))

->Scan ERROR: resource driver://Npfs (code 0x0000054F (1359))

->Scan ERROR: resource driver://Ntfs (code 0x0000054F (1359))

->Scan ERROR: resource driver://Nuc76 (code 0x0000054F (1359))

->Scan ERROR: resource driver://Null (code 0x0000054F (1359))

->Scan ERROR: resource driver://nv (code 0x0000054F (1359))

->Scan ERROR: resource driver://NwlnkFlt (code 0x0000054F (1359))

->Scan ERROR: resource driver://NwlnkFwd (code 0x0000054F (1359))

->Scan ERROR: resource driver://Parport (code 0x0000054F (1359))

->Scan ERROR: resource driver://PartMgr (code 0x0000054F (1359))

->Scan ERROR: resource driver://ParVdm (code 0x0000054F (1359))

->Scan ERROR: resource driver://PCI (code 0x0000054F (1359))

->Scan ERROR: resource driver://PCIDump (code 0x0000054F (1359))

->Scan ERROR: resource driver://PCIIde (code 0x0000054F (1359))

->Scan ERROR: resource driver://Pcmcia (code 0x0000054F (1359))

->Scan ERROR: resource driver://PDCOMP (code 0x0000054F (1359))

->Scan ERROR: resource driver://PDFRAME (code 0x0000054F (1359))

->Scan ERROR: resource driver://PDRELI (code 0x0000054F (1359))

->Scan ERROR: resource driver://PDRFRAME (code 0x0000054F (1359))

->Scan ERROR: resource driver://perc2 (code 0x0000054F (1359))

->Scan ERROR: resource driver://perc2hib (code 0x0000054F (1359))

->Scan ERROR: resource driver://pfc (code 0x0000054F (1359))

->Scan ERROR: resource driver://PptpMiniport (code 0x0000054F (1359))

->Scan ERROR: resource driver://PSched (code 0x0000054F (1359))

->Scan ERROR: resource driver://Ptilink (code 0x0000054F (1359))

->Scan ERROR: resource driver://PxHelp20 (code 0x0000054F (1359))

->Scan ERROR: resource driver://ql1080 (code 0x0000054F (1359))

->Scan ERROR: resource driver://Ql10wnt (code 0x0000054F (1359))

->Scan ERROR: resource driver://ql12160 (code 0x0000054F (1359))

->Scan ERROR: resource driver://ql1240 (code 0x0000054F (1359))

->Scan ERROR: resource driver://ql1280 (code 0x0000054F (1359))

->Scan ERROR: resource driver://RasAcd (code 0x0000054F (1359))

->Scan ERROR: resource driver://Rasl2tp (code 0x0000054F (1359))

->Scan ERROR: resource driver://RasPppoe (code 0x0000054F (1359))

->Scan ERROR: resource driver://Raspti (code 0x0000054F (1359))

->Scan ERROR: resource driver://Rdbss (code 0x0000054F (1359))

->Scan ERROR: resource driver://RDPCDD (code 0x0000054F (1359))

->Scan ERROR: resource driver://rdpdr (code 0x0000054F (1359))

->Scan ERROR: resource driver://RDPWD (code 0x0000054F (1359))

->Scan ERROR: resource driver://redbook (code 0x0000054F (1359))

->Scan ERROR: resource driver://s115bus (code 0x0000054F (1359))

->Scan ERROR: resource driver://s115mdfl (code 0x0000054F (1359))

->Scan ERROR: resource driver://s115mdm (code 0x0000054F (1359))

->Scan ERROR: resource driver://s115mgmt (code 0x0000054F (1359))

->Scan ERROR: resource driver://s115obex (code 0x0000054F (1359))

->Scan ERROR: resource driver://Secdrv (code 0x0000054F (1359))

->Scan ERROR: resource driver://serenum (code 0x0000054F (1359))

->Scan ERROR: resource driver://Serial (code 0x0000054F (1359))

->Scan ERROR: resource driver://Sfloppy (code 0x0000054F (1359))

->Scan ERROR: resource driver://Simbad (code 0x0000054F (1359))

->Scan ERROR: resource driver://Sparrow (code 0x0000054F (1359))

->Scan ERROR: resource driver://splitter (code 0x0000054F (1359))

->Scan ERROR: resource driver://sptd (code 0x0000054F (1359))

->Scan ERROR: resource driver://sr (code 0x0000054F (1359))

->Scan ERROR: resource driver://Srv (code 0x0000054F (1359))

->Scan ERROR: resource driver://ssmdrv (code 0x0000054F (1359))

->Scan ERROR: resource driver://swenum (code 0x0000054F (1359))

->Scan ERROR: resource driver://swmidi (code 0x0000054F (1359))

->Scan ERROR: resource driver://symc810 (code 0x0000054F (1359))

->Scan ERROR: resource driver://symc8xx (code 0x0000054F (1359))

->Scan ERROR: resource driver://sym_hi (code 0x0000054F (1359))

->Scan ERROR: resource driver://sym_u3 (code 0x0000054F (1359))

->Scan ERROR: resource driver://sysaudio (code 0x0000054F (1359))

->Scan ERROR: resource driver://Tcpip (code 0x0000054F (1359))

->Scan ERROR: resource driver://TDPIPE (code 0x0000054F (1359))

->Scan ERROR: resource driver://TDTCP (code 0x0000054F (1359))

->Scan ERROR: resource driver://TermDD (code 0x0000054F (1359))

->Scan ERROR: resource driver://TosIde (code 0x0000054F (1359))

->Scan ERROR: resource driver://TVICHW32 (code 0x0000054F (1359))

->Scan ERROR: resource driver://Udfs (code 0x0000054F (1359))

->Scan ERROR: resource driver://ultra (code 0x0000054F (1359))

->Scan ERROR: resource driver://Update (code 0x0000054F (1359))

->Scan ERROR: resource driver://usbhub (code 0x0000054F (1359))

->Scan ERROR: resource driver://USBSTOR (code 0x0000054F (1359))

->Scan ERROR: resource driver://usbuhci (code 0x0000054F (1359))

->Scan ERROR: resource driver://VgaSave (code 0x0000054F (1359))

->Scan ERROR: resource driver://ViaIde (code 0x0000054F (1359))

->Scan ERROR: resource driver://VolSnap (code 0x0000054F (1359))

->Scan ERROR: resource driver://w550bus (code 0x0000054F (1359))

->Scan ERROR: resource driver://w550mdfl (code 0x0000054F (1359))

->Scan ERROR: resource driver://w550mdm (code 0x0000054F (1359))

->Scan ERROR: resource driver://w550mgmt (code 0x0000054F (1359))

->Scan ERROR: resource driver://w550obex (code 0x0000054F (1359))

->Scan ERROR: resource driver://Wanarp (code 0x0000054F (1359))

->Scan ERROR: resource driver://WDICA (code 0x0000054F (1359))

->Scan ERROR: resource driver://wdmaud (code 0x0000054F (1359))

->Scan ERROR: resource driver://WS2IFSL (code 0x0000054F (1359))

->Scan ERROR: resource driver://Xix68 (code 0x0000054F (1359))

->Scan ERROR: resource driver://Xyl73 (code 0x0000054F (1359))

->Scan ERROR: resource driver://a3pv2gty (code 0x0000054F (1359))

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.6, January 2009

Started On Sun Jan 25 23:43:19 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sun Jan 25 23:45:27 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.6, January 2009

Started On Sun Jan 25 23:45:29 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sun Jan 25 23:47:00 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.7, February 2009

Started On Sat Feb 14 00:32:44 2009

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Feb 14 00:33:01 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.7, February 2009

Started On Sat Feb 14 16:00:15 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Feb 14 16:03:23 2009

Нод ми е добре ще инсталирам др програми КАсперски и др.

14 февруари 200917 г.

Лога на ComboFix вече изглежда по-добре.

Не е препоръчително да инсталираш две антивирусни програми...по-добре провери с някои, които не изискват инсталация:

Коментар #3

http://www.kaldata.com/forums/index.php?s=...st&p=415744

Деинсталирай ComboFix с командата :

Start => Run => combofix /u

Инструмента на Symantec - FixDownloadup и на Kaspersky - KidoKiller намериха ли нещо ?

Инсталира ли актуализациите, които съм посочил в първия си пост по темата ?

Изчисти карантината на NOD32. Спри и пусни System Restore:

Десен бутон на My Computer => Properties => System Restore => слагаш отметка пред Turn Off System Restore

Start => run => cleanmgr => More Options => System Restore => Clean UP

Почисти временните файлове с ATF-CLEANER

(Избираш Select All => само махаш отметката пред Prefetch => Empty Selected).

Как е сега машината ? Появяват ли се още тези съобщения ?

14 февруари 200917 г.

Лога на ComboFix вече изглежда по-добре.

Не е препоръчително да инсталираш две антивирусни програми...по-добре провери с някои, които не изискват инсталация:

Коментар #3

http://www.kaldata.com/forums/index.php?s=...st&p=415744

Деинсталирай ComboFix с командата :

Start => Run => combofix /u

Инструмента на Symantec - FixDownloadup и на Kaspersky - KidoKiller намериха ли нещо ?

Инсталира ли актуализациите, които съм посочил в първия си пост по темата ?

Изчисти карантината на NOD32. Спри и пусни System Restore:

Почисти временните файлове с ATF-CLEANER

Как е сега машината ? Появяват ли се още тези съобщения ?

ДОсега всичко съм качил,а от FixDownloadup ми показа че нямам ето това:Security Update for WinXP (kB958644) и го инсталирах.И не е намерила нещи подозрително,сега сканирам с KidoKiller и след това ще постна логове,и да попитам от този Коментар #3 какво да кача?

14 февруари 200917 г.

Първо онези програми не се инсталират...Действат на принципа на portable версиите => сваляш, стартираш, сканираш, чистиш и ги триеш...

Второ, аз само ти ги предложих като алтернатива на това да инсталираш още една антивирусна. Не настоявам да сканираш с тях и си мисля, че не се налага.

Как се държи в момента машината ?

14 февруари 200917 г.

Първо онези програми не се инсталират...Действат на принципа на portable версиите => сваляш, стартираш, сканираш, чистиш и ги триеш...

Второ, аз само ти ги предложих като алтернатива на това да инсталираш още една антивирусна. Не настоявам да сканираш с тях и си мисля, че не се налага.

Как се държи в момента машината ?

Еми горе-долу добре ще изчакам още 1 седмица да видим дали ще се вурне тоя вирус пак в Нода ето другия лог:

Net-Worm.Win32.Kido removing tool, Kaspersky Lab 2009

version 3.1 Feb 3 2009 07:34:42

scanning threads ...

scanning modules in svchost.exe...

scanning modules in services.exe...

scanning modules in explorer.exe...

scanning C:\WINDOWS\system32 ...

scanning C:\Program Files\Internet Explorer\ ...

scanning C:\Program Files\Movie Maker\ ...

scanning C:\Documents and Settings\JH347JHV\Application Data ...

scanning C:\DOCUME~1\JH347JHV\LOCALS~1\Temp\ ...

completed

Infected files: 0

Infected threads: 0

Splices functions: 0

Cured files: 0

Fixed registry keys: 0

Press any key to continue . . .

14 февруари 200917 г.

Добре, а сега ако не си с последните ъпдейти на Уйндоуса, те съветвам да го направиш веднага!

Ето ти един вариант за защита - Avira or AVG + Comodo Firewall Pro махай го тоя Нод!

Може и Аваст да си сложиш, но задължително с Comodo Firewall Pro!!!

14 февруари 200917 г.

изпълнявам точно, надявам се ,всичко :rolleyes:

ето това се получи:

ComboFix.txt

14 февруари 200917 г.

Всичко е точно!

Направи същото, но този път в Notepad:

Killall::


Rootkit::

c:\documents and settings\LogMeInRemoteUser\is-MRR7S.tmp


DirLook::

c:\windows\srchasst

И след това очаквам лог.

14 февруари 200917 г.

Направо не мога да си обясня какво ми се случи. Ето това ми дава като грешка когато цъкна два пъти върху иконката на които и да е хард:

Понеже свалях пача за NFS Undercover и се оказа, че в торента има вирус (някакъв троянец), реших да пробвам да инсталирам друга антивирусна. NOD32 го засече и уж го изтри ... но грешката се появи след това. Пробвах Panda - не можа да се ъпдейтне. Пробвах Kaspersky - инсталатора не стигна докрая. Следовално не можах да я деинсталирам като хората. И кагато бях отчаян и реших да кача отново NOD ... ПРАС! Син екран преди Log-ване в профила. Това доведе до преинсталация. И не само това, а и трябваше да си местя харда на другият комп за да спасявам информация. Сега и на другият комп се показва същата грешка. Както и да е ... върнах харда, преинсталирах (сега ще ми се разкаже играта - имам минимум 100 програми и игри да преинсталирам) ... и проблема си остава. Шотът е пресен, правен е след преинсталацията. Е какво подяволите се случва? Помагайте, че много тежко ми стана.

Благодаря!

ПП: Опитах да направя шорткът към хард на десктопа ... ефектът е същият.

Редактирано 15 февруари 200917 г. от xactoR (преглед на промените)

15 февруари 200917 г.

С десен бутон и Explore отваря ли се? Ако да, провери за някакъв скрит (може би системен) файл autorun.ini/inf, ако има нещо подобно, копирай съдържанието му тук. ;-)

15 февруари 200917 г.

Добре, а сега ако не си с последните ъпдейти на Уйндоуса, те съветвам да го направиш веднага!
Ето ти един вариант за защита - Avira or AVG + Comodo Firewall Pro махай го тоя Нод!
Може и Аваст да си сложиш, но задължително с Comodo Firewall Pro!!!

Добре но преди бях си качил тази Comodo и нещо ми барна регистрите "appint_dlls" или нещо от тоя род и имах проблеми с 1 програма за игра нз дали е била от Comodo но стана след като я качих мина известно време 1 до 5 дена май и така стана,сега пробвах да стартирам Windows Updateto но нещо ми показва проблем с Browsera ...

Ето лог:

The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.

15 февруари 200917 г.

То се отваря с Explore. И вляво в падащото меня да цъкна пак се отваря. Къде трябва да го намеря тоя autorun и ако го има, къде е това "тук" че да го копирам?

15 февруари 200917 г.

Ами тук... Защо винаги като се каже тук трябва да се има предвид някакъв сайт или нещо подобно, just here.

По принцип файл autorun.ini не е нужен за работата на дяловете, освен ако не е създаден с определена цел от потребителя. Този файл би трябвало да се намира в главната директория на съответния дял, а копирането (или по-точно поставянето) на съдържанието може да ти спести бъдещи проблеми. Процедурата е проста, като намериш и отвориш файла, преглеждаш го и ако нещо ти се стори съмнително, го триеш. След това триеш и файла autorun. И повтаряш стъпката със всички заразени дялове. Възможно е дори да ти прави подобен проблем, като включиш някакво външно устройство към компютъра (пр. флаш памет), при нея процедурата за премахване не е по-различна.

15 февруари 200917 г.

Не е задължително да се използва Windows Update:

Съществуват:

*Microsoft Baseline Security Analizer

*Proactive Security Auditor

*Belarc Advisor

*Protector Plus Windows Vulnerability Scanner

*NETCHEK PROTECT

*Windows Doctor

*Windows Updates Donwloader

и т.н.

Аз ти препоръчвам ЕДНА от следните 3:

Microsoft Baseline Security Analizer

Windows Updates Donwloader

Protector Plus Windows Vulnerability Scanner

15 февруари 200917 г.

Еми, няма такъв файл на нито един от дисковете (те са 3 диска, не дялове). Сега като си включих компа не зареди първият път. Нещо много сериозно се насра и не мога да разбера как и най-вече защо

С Trojan Remover успях да изтрия 3 файла с въпросно име (autorun.inf), по един на всеки хард. Същото направих и с двата дяла на другият комп. Моя продължава да ми прави мизерии (не ми отваря IE) затова пиша от третия комп. На какво може да се дължи това? Цъкам иконката на IE, показва се пясъчният часовник до мишката, седи секувда-две и ичезва. Опитах се през Explorer да отворя някоя страница (нали като напишеш горе някой линк се отваря IE) ... пак същото - часовничето и се връща обратно в MyComuter. Сега се чувствам толкова зле - как не се сетих вчера преди да почна да правя каквото и да е да стартирам тая програма. Сега цяла седмица ще се занимавам с глупости зокато си оправя бакиите.

Проверката на NOD32 намира това:

но не може да го изтрие. Пише "Error while cleaning - operation unavailable for this object type". Вече не знам какво да правя. Ще опитам с друга атнивирусна, но ... видяло се е май, че ще трябва да спасявам каквото мога и да форматирам всичко.

ПП: Темата вече не отговаря на първоначалното заглавие, затова го промених. Сега обаче не отговаря на раздела. Моля някой от модовете да я премести :huh:

ПП2: Май най-накрая се оправих. Използвах BitDefender. Ще видиме какво ще стане. Все пак ще ударя още една преинсталация като може да си запиша музиката и снимките някъде и да форматирам абсолютно всичко.

Редактирано 15 февруари 200917 г. от xactoR (преглед на промените)

15 февруари 200917 г.

Не е задължително да се използва Windows Update:

Съществуват:

*Microsoft Baseline Security Analizer

*Proactive Security Auditor

*Belarc Advisor

*Protector Plus Windows Vulnerability Scanner

*NETCHEK PROTECT

*Windows Doctor

*Windows Updates Donwloader

и т.н.

Аз ти препоръчвам ЕДНА от следните 3:

Microsoft Baseline Security Analizer

Windows Updates Donwloader

Protector Plus Windows Vulnerability Scanner

Да ти кажа имената неми говорят нищо :rolleyes: Коя е най-добра

15 февруари 200917 г.

Защитната стена само по себе си не може да напарави нищо!!!

Може би си блокирал нещо, което е било свързано с играта и тогава да е започнал проблема.

В момента Comodo Firewall Pro е най-добрата защитна стена в световен мащаб! Ако я усвоиш, гарантирам че ще забравиш за тежката артелерия , с която мнозина изтезеват машините си! Уйндоусът задължително трябва да ти е ъпдейтнат до дупка, тъй като чрез ъпдейтите са запушват огромни дупки в ОС а от тях се възползват точно червеи, троянци и т.н.!

15 февруари 200917 г.

Интересно:

Нова техника демонстрира червея Conficker

15 февруари 200917 г.

тъй като искам да съм сигурен за това което трябва да направя предпочитам да попитам този текст го копирам в notepad но понататък какво точно да правя...какво име да му сложа и пак ли да го сложа върху combofix

Редактирано 15 февруари 200917 г. от menko (преглед на промените)

Добре дошли!

Помощ при откриване и премахване на вируси, троянски коне и др., част 2

Featured Replies

Потребители с най-много отговори

Популярни дни

Най-популярни публикации

Maniac

Maniac

Maniac

Публикувани изображения

Разглеждащи това в момента 0

Дарение

Бюлетин

Профил

Навигация

Търсене

Конфигуриране на push известия в браузъра

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)