Помощ при откриване и премахване на вируси, троянски коне и др., част 2

2 март 200917 г.

Още проблеми

Освен проблемът с нефункционирането на copy, cut и paste имах и други проблеми: :clap:

1.Като си пуснех PC-то и ми излизаше това съобщение: lsass.exe - Drive not ready и опцийте бяха 3: Cancel, Try Again и Continue. Каквото и да натисна след 5 секунди ми се появява пак това съобщение и този процес се повтаряше отново и отново. --> Много досадно беше.

2.Като си влезнех в скайпа и след около 5 секунди ме изхвърляше и после пак същото. Този проблем го отстраних със Skype Portable, но след фиксацията пак си влизах в скайпа по нормалния начин. :clap:

3.Беше ми изчезнал Language bar-а.

4.Снощи като си пуснах компа и Taskbar-а ми го нямаше, но като рестартирах се появи отново. :clap:

5.Като се пробвах да сканирам с Malwarebytes Anti-Malware, Super Anti-Spyware и Free.Dr.WEB CureIt! те ми зацепваха и пишеше Not Responding, а Kaspersky Virus Removal Toolе е качих след фиксацията, но предполагам че и снея щеше да стане така.

Подозирах, че са или от инсталирана наскоро програма, или съм прихванал някаква гадина, понеже съм без антивирусна. Предполагам, че почти или всичките ми проблеми са били от тази мръсна гад lsass.exe. :rolleyes:

Предприех действията

1.Свалих Malwarebytes Anti-Malware, Super Anti-Spyware и Free.Dr.WEB CureIt!.

2.Обнових Malwarebytes Anti-Malware, Super Anti-Spyware и Free.Dr.WEB CureIt!.

3.Като се пробвах да сканирам ми зацепваха.

4.Ъпдейтнах и съм вече със SP2.

5.След това пак се пробвах да сканирам и пак ми зацепваха.

6.Реших да ги фиксирам и след това да пробвам пак. След фиксацията copy, cut и paste проработиха отново и с десния бутон на мишката, и с калавишните комбинации, и за текст, и за файлове, и в Paint-а. Заедно с това си взех довиждане и с останалите 5 проблема.

7.Свалих и Kaspersky Virus Removal Tool.

8.Търсих опция за обновление на Kaspersky Virus Removal Tool, но не намерих.

9.След фиксацията успях да сканирам и с четирите без проблемно. :super:

10.Ето логовете: :magnifier:

Malwarebytes Anti-Malware

Malwarebytes' Anti-Malware 1.34

Версия на базата от данни: 1813

Windows 5.1.2600 Service Pack 2

02.3.2009 г. 02:36:29

mbam-log-2009-03-02 (02-36-23).txt

Тип сканиране: Пълно сканиране (C:\|)

Сканирани обекти: 108156

Изминало време: 27 minute(s), 46 second(s)

Заразени процеси в паметта: 0

Заразени модули в паметта: 0

Заразени ключове в регистратурата: 3

Заразени стойности в регистратурата: 0

Заразени информационни обекти в регистратурата: 0

Заразени папки: 0

Заразени файлове: 7

Заразени процеси в паметта:

(Не бяха открити заплахи)

Заразени модули в паметта:

(Не бяха открити заплахи)

Заразени ключове в регистратурата:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> No action taken.

Заразени стойности в регистратурата:

(Не бяха открити заплахи)

Заразени информационни обекти в регистратурата:

(Не бяха открити заплахи)

Заразени папки:

(Не бяха открити заплахи)

Заразени файлове:

C:\WINDOWS\system32\senekabjoawbin.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\senekapjnlsykq.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\senekasfkkqoib.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\senekatirfqboo.sys (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\senekaumpaafxj.dat (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\senekawkroyoew.dat (Trojan.Agent) -> No action taken.

Super Anti-Spyware Free

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 03/02/2009 at 01:48 AM

Application Version : 4.25.1014

Core Rules Database Version : 3779

Trace Rules Database Version: 1738

Scan type : Complete Scan

Total Scan Time : 00:30:08

Memory items scanned : 375

Memory threats detected : 0

Registry items scanned : 3558

Registry threats detected : 6

File items scanned : 38120

File threats detected : 16

Adware.Tracking Cookie

C:\Documents and Settings\SAKATA\Cookies\sakata@atdmt[1].txt

C:\Documents and Settings\SAKATA\Cookies\sakata@doubleclick[1].txt

C:\Documents and Settings\SAKATA\Cookies\sakata@cgi-bin[2].txt

C:\Documents and Settings\SAKATA\Cookies\sakata@mediaplex[1].txt

C:\Documents and Settings\SAKATA\Cookies\[email protected][2].txt

C:\Documents and Settings\SAKATA\Cookies\sakata@advertising[1].txt

C:\Documents and Settings\SAKATA\Cookies\[email protected][2].txt

C:\Documents and Settings\SAKATA\Cookies\[email protected][1].txt

C:\Documents and Settings\SAKATA\Cookies\sakata@tacoda[1].txt

C:\Documents and Settings\SAKATA\Cookies\[email protected][1].txt

Adware.MyWebSearch/FunWebProducts

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Malware.RepairRegistryPro

HKLM\Software\Repair Registry Pro

HKLM\Software\Repair Registry Pro#lastfounderrors

HKLM\Software\Repair Registry Pro#DontStoreStats

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\RepairRegistryPro.exe

C:\Program Files\Repair Registry Pro\uninst.exe

C:\Program Files\Repair Registry Pro

C:\Documents and Settings\SAKATA\Start Menu\Programs\Repair Registry Pro\Repair Registry Pro.lnk

C:\Documents and Settings\SAKATA\Start Menu\Programs\Repair Registry Pro\Uninstall.lnk

C:\Documents and Settings\SAKATA\Start Menu\Programs\Repair Registry Pro

Dr.WEB CureIt!

RegUBP2b-SAKATA.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;;

B564F0D0d01;C:\Documents and Settings\SAKATA\Local Settings\Application Data\Mozilla\Firefox\Profiles\zs0ofgrg.default\Cache;VBS.PackFor.26;;

A0011408.dll;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121;Trojan.DownLoad.16849;;

A0000237.exe;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP5;Trojan.Fakealert.2262;;

A0000398.exe\data005;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP66\A0000398.exe;Trojan.Fakealert.2262;;

A0000398.exe;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP66;Архивът съдържа инфектирани обекти;;

A0000423.exe;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP66;Trojan.Seneka.6;;

A0000424.exe;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP66;Trojan.Seneka.6;;

A0003719.reg;C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP69;Възможно, SCRIPT.BATCH.Virus;;

senekabjoawbin.dll;C:\WINDOWS\system32;Възможно, Trojan.Packed.365;;

senekapjnlsykq.dll;C:\WINDOWS\system32;Възможно, Trojan.Packed.365;;

senekasfkkqoib.dll;C:\WINDOWS\system32;Възможно, Trojan.Packed.365;;

vzcmgmv[1].jpg;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E7TLAS8P;Trojan.DownLoad.16849;;

Kaspersky Virus Removal Tool

Scan

----

Scanned: 335157

Detected: 14

Untreated: 14

Start time: 02.3.2009 г. 06:20:10

Duration: 02:28:18

Finish time: 02.3.2009 г. 08:48:28

Detected

--------

Status Object

------ ------

detected: virus Worm.Win32.AutoRun.ezx File: c:\windows\security\lsass.exe

detected: virus Net-Worm.Win32.Kido.ih File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121\A0011408.dll//PE_Patch.UPX//UPX

detected: virus Worm.Win32.AutoRun.ezx File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121\A0011516.exe

detected: Trojan program Packed.Win32.Tdss.f File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP66\A0000423.exe

detected: Trojan program Packed.Win32.Tdss.f File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP66\A0000424.exe

detected: Trojan program Packed.Win32.Tdss.f File: C:\WINDOWS\system32\senekabjoawbin.dll

detected: Trojan program Packed.Win32.Tdss.f File: C:\WINDOWS\system32\senekapjnlsykq.dll

detected: Trojan program Packed.Win32.Tdss.f File: C:\WINDOWS\system32\senekasfkkqoib.dll

detected: virus Worm.Win32.AutoRun.ezx File: C:\WINDOWS\system32\upd.exe

detected: virus Net-Worm.Win32.Kido.ih File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E7TLAS8P\vzcmgmv[1].jpg//PE_Patch.UPX//UPX

detected: Trojan program Packed.Win32.Tdss.f File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121\A0011521.dll

detected: Trojan program Packed.Win32.Tdss.f File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121\A0011522.dll

detected: Trojan program Packed.Win32.Tdss.f File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121\A0011523.dll

detected: virus Worm.Win32.AutoRun.ezx File: C:\System Volume Information\_restore{E543C1E4-607C-48B6-AEB5-9B3FF53AD7D5}\RP121\A0011524.exe

Не съм предприемал нищо, за да не омажа нещо, а ще предприема след съвети от вас. Кажете кои заплахи да изтрия и кои да имунизирам и с коя програма, защото някои ги откриват и по-вече от една програма.

Ъпдейта от SP1 към SP2 не си го бях свалил, защото в четвъртъка преинсталирах и в най-скоро време щях да си го сваля. Както и да е, вече е факт.

За антивирусната се отнася същото, но нея тепърва ще я свалям. Преди съм бил с най-различни, избора е доста труден и голям, посъветвайте ме коя анти-вирусна да си сложа.

Между другото един приятел вика да не минавам на SP3. Вие какво ще кажете по въпроса?

Едно огромно БЛАГОДАРЯ на всички, които ми помогнаха до момента, за съветите и многото алтернативи.

Аз имам още работа докато си изчиста компа. Очаквам вашите съвети.

2 март 200917 г.

1. Спри System Restore:

Десен бутон на My Computer => Properties => System Restore => слагао отметка пред Turn Off System Restore

Start => run => cleanmgr => More Options => System Restore => Clean UP

2. Поправи намереното от Malwarebytes, Superantispyware, DR.WEBCureit и Kaspersky !

3. Направи следните неща:

3.1. Временно спри защитата на антивирусната си програма в реално време.

3.2. Изтегли Combofix (нарочно е преименуван и качен в 4storing)

3.3. Запази го на ДЕСКТОПА.

3.4. Въведи следната команда:

Start => run =>

"%userprofile%\desktop\albundy.exe" /killall

3.5. Публикувай лог файла.

2 март 200917 г.

Всичко направих, но като направя и 3.4. и ми излиза това съобщение:

2 март 200917 г.

Хехе, всъщност съм го виждал това съобщение.

Пробвай да го преименуваш на Combo-Fix.exe и го стартирай с двукратен клик на мишката (без онази команда).

Или пробвай да го изтеглиш оттук, но подозирам, че няма да имаш достъп до редица сайтове на антивирусни програми.

Затова изтегли HostsXpert.

Разархивирай програмата и стартирай файла HostsXpert.exe и натисни Make Hosts Writable

Сега натисни Restore MS Hosts File и потвърди с YES.

Затвори приложението.

Пробвай да изтеглиш ComboFix оттук:

http://subs.geekstogo.com/ComboFix.exe

2 март 200917 г.

да не си на кирилица

3 март 200917 г.

да не си на кирилица

Не, тогава като се пробвах бях на EN.

Като го преименувах на Combo-Fix.exe и стана.

Spybot - Search & Destroy ме пита за няколко промени, но аз не разреших нито 1. Кажете на всички ли да разреша или само на някои?

Ето лога:

ComboFix 09-03-02.03 - SAKATA 2009-03-03 21:19:35.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1251.1.1033.18.1023.698 [GMT 2:00]

Running from: c:\documents and settings\SAKATA\Desktop\Combo-Fix.exe.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\aebaabfba3_d.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))

.

2009-03-02 21:25 . 2009-03-02 21:25 <DIR> d-------- C:\albundy

2009-03-02 06:14 . 2009-03-03 21:21 10,960,928 --ahs---- c:\windows\system32\drivers\fidbox.dat

2009-03-02 06:14 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\57567480.sys

2009-03-02 06:14 . 2009-03-03 15:44 100,952 --ahs---- c:\windows\system32\drivers\fidbox.idx

2009-03-02 03:24 . 2009-03-02 03:24 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\Uniblue

2009-03-02 03:22 . 2009-03-02 03:22 <DIR> d-------- c:\program files\Uniblue

2009-03-02 03:22 . 2009-03-02 03:22 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{EC0615F3-39C5-40A5-9C90-EABA4ACA5B7F}

2009-03-01 23:54 . 2008-12-21 01:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll

2009-03-01 23:54 . 2007-04-17 11:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2009-03-01 23:54 . 2007-03-08 07:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2009-03-01 23:54 . 2008-12-21 01:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2009-03-01 23:54 . 2008-12-21 01:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2009-03-01 23:54 . 2008-12-21 01:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2009-03-01 23:54 . 2008-12-21 01:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2009-03-01 23:54 . 2008-12-21 01:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2009-03-01 23:54 . 2008-12-19 11:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2009-03-01 23:49 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll

2009-03-01 23:26 . 2009-03-01 23:50 <DIR> d-------- c:\windows\system32\CatRoot_bak

2009-03-01 23:24 . 2009-01-16 21:35 3,594,752 -----c--- c:\windows\system32\dllcache\mshtml.dll

2009-03-01 23:22 . 2009-03-02 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

2009-03-01 23:22 . 2008-04-11 20:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll

2009-03-01 23:22 . 2008-05-01 16:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll

2009-03-01 23:21 . 2008-10-03 12:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll

2009-03-01 13:12 . 2009-03-01 13:12 <DIR> d--hs---- c:\documents and settings\All Users\DRM

2009-03-01 13:12 . 2009-03-01 13:12 <DIR> d-------- c:\documents and settings\All Users\Documents

2009-03-01 13:12 . 2004-08-04 09:56 221,184 --a------ c:\windows\system32\wmpns.dll

2009-03-01 13:11 . 2009-03-01 13:11 <DIR> d-------- c:\windows\provisioning

2009-03-01 13:11 . 2009-03-01 13:11 <DIR> d-------- c:\windows\peernet

2009-03-01 13:10 . 2009-03-01 13:10 <DIR> d-------- c:\windows\ServicePackFiles

2009-03-01 13:05 . 2009-03-01 13:05 <DIR> d-------- c:\windows\EHome

2009-03-01 12:59 . 2009-03-01 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-01 12:58 . 2009-03-01 12:58 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-03-01 12:58 . 2009-03-01 12:58 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\SUPERAntiSpyware.com

2009-03-01 12:45 . 2009-03-01 12:45 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-01 12:45 . 2009-03-01 12:45 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-01 11:21 . 2009-03-01 11:21 <DIR> d-------- c:\windows\Sun

2009-03-01 11:21 . 2009-03-01 11:22 <DIR> d-------- c:\documents and settings\SAKATA\.housecall6.6

2009-03-01 11:20 . 2009-03-01 12:45 <DIR> d-------- c:\program files\Java

2009-03-01 11:19 . 2009-03-01 11:19 <DIR> d-------- c:\program files\Common Files\Java

2009-03-01 10:20 . 2009-03-01 12:43 <DIR> d-------- C:\csscod

2009-03-01 10:19 . 2009-03-01 10:19 <DIR> d-------- c:\program files\AhnLab

2009-03-01 07:57 . 2009-03-01 07:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-01 07:46 . 2009-03-01 07:46 <DIR> d-------- c:\program files\a-squared HiJackFree

2009-03-01 07:43 . 2009-03-01 07:43 <DIR> d-------- c:\documents and settings\SAKATA\DoctorWeb

2009-03-01 07:37 . 2009-03-02 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-01 07:37 . 2009-03-01 07:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks

2009-03-01 07:37 . 2009-03-01 13:12 <DIR> d-------- c:\documents and settings\All Users

2009-03-01 03:28 . 2009-03-01 03:28 <DIR> d-------- c:\program files\Avira GmbH

2009-02-28 23:22 . 2009-02-28 23:22 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\Malwarebytes

2009-02-28 23:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-28 23:21 . 2009-03-01 12:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-28 23:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-28 21:51 . 2009-02-28 21:51 <DIR> d-------- c:\program files\Ashampoo

2009-02-28 21:51 . 2009-01-09 11:46 39,776 --a------ c:\windows\system32\DfSdkBt64.exe

2009-02-28 21:51 . 2009-01-09 11:46 33,632 --a------ c:\windows\system32\DfSdkBt.exe

2009-02-28 21:50 . 2009-02-28 21:50 <DIR> d-------- c:\program files\RegSupreme Pro

2009-02-28 21:50 . 2009-02-28 21:50 23 --a------ c:\windows\system32\adefecbccf9_d.ocx

2009-02-28 17:15 . 2004-01-10 07:11 26,112 --a------ c:\windows\system32\xpsp1hfm.exe

2009-02-28 03:55 . 2009-02-28 17:13 250 --a------ c:\windows\gmer.ini

2009-02-28 01:47 . 2009-02-28 01:47 <DIR> d-------- c:\program files\Trend Micro

2009-02-27 04:41 . 2009-02-27 04:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-27 03:42 . 2009-02-27 03:42 520,676 --a------ c:\windows\system\sshbx5.exe

2009-02-27 03:42 . 2005-03-05 12:30 488,704 --a------ c:\windows\system\wodSSH.ocx

2009-02-27 03:42 . 2005-02-16 01:56 451,840 --a------ c:\windows\system\wodSSH.dll

2009-02-27 03:42 . 2009-02-14 16:03 36,864 --a------ c:\windows\system\tty1.exe

2009-02-27 03:42 . 2009-03-01 23:58 132 --a------ c:\windows\system\scanner.ini

2009-02-27 03:37 . 2009-02-27 03:37 197 --a------ c:\windows\system32\MRT.INI

2009-02-27 03:17 . 2002-04-15 21:11 67,866 --------- c:\windows\system32\drivers\netwlan5.img

2009-02-27 03:17 . 2004-08-04 00:56 11,776 --------- c:\windows\system32\spnpinst.exe

2009-02-27 03:17 . 2004-08-02 14:20 7,208 --------- c:\windows\system32\secupd.sig

2009-02-27 03:17 . 2004-08-02 14:20 4,569 --------- c:\windows\system32\secupd.dat

2009-02-27 03:02 . 2009-02-27 03:04 <DIR> d-------- c:\program files\PC Registry Cleaner

2009-02-27 03:02 . 2009-03-01 12:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-27 03:01 . 2009-02-27 03:01 <DIR> d-------- c:\program files\Internet Speed Tester

2009-02-27 02:55 . 2005-10-21 00:20 1,082,368 --a------ c:\windows\system32\esent.dll

2009-02-27 02:50 . 2009-03-03 00:14 <DIR> d--h----- c:\windows\$hf_mig$

2009-02-27 02:49 . 2009-02-27 02:49 <DIR> d-------- c:\windows\system32\bits

2009-02-27 02:49 . 2004-08-04 09:56 351,232 --a------ c:\windows\system32\winhttp.dll

2009-02-27 02:49 . 2004-08-04 09:56 18,944 --a------ c:\windows\system32\qmgrprxy.dll

2009-02-27 02:49 . 2004-08-04 09:56 8,192 --------- c:\windows\system32\bitsprx2.dll

2009-02-27 02:49 . 2004-08-04 09:56 7,168 --------- c:\windows\system32\bitsprx3.dll

2009-02-27 02:47 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll

2009-02-27 02:47 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll

2009-02-27 02:47 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl

2009-02-27 02:47 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll

2009-02-27 02:47 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll

2009-02-27 02:47 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui

2009-02-27 02:47 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui

2009-02-27 02:47 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-02-27 02:47 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui

2009-02-27 02:42 . 2009-02-27 02:42 <DIR> d-------- c:\program files\Winamp Toolbar

2009-02-27 01:53 . 2009-02-27 01:56 86,774 --a------ C:\_crash.dmp

2009-02-27 01:53 . 2009-02-27 01:56 37,987 --a------ C:\report.zip

2009-02-27 01:50 . 2009-02-27 01:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-27 01:49 . 2009-02-27 01:49 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2009-02-27 01:48 . 2009-02-27 01:48 <DIR> d-------- c:\program files\Stamina

2009-02-27 01:47 . 2009-02-27 01:47 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\DivX

2009-02-27 01:35 . 2009-02-27 01:35 23,600 --a------ c:\windows\system32\drivers\TVICHW32.SYS

2009-02-27 01:33 . 2009-02-27 03:37 <DIR> d-------- c:\program files\Repair Registry Pro

2009-02-27 01:27 . 2009-02-27 01:27 <DIR> d-------- c:\program files\DFX

2009-02-27 01:27 . 2009-02-27 01:27 <DIR> d-------- c:\program files\Common Files\DFX

2009-02-27 01:27 . 2009-02-27 01:27 <DIR> d-------- c:\program files\AskSearch

2009-02-27 01:27 . 2009-02-27 01:27 <DIR> d-------- c:\program files\AskBarDis

2009-02-27 01:20 . 2009-02-27 01:20 <DIR> d-------- c:\program files\Winamp Remote

2009-02-27 01:20 . 2009-03-01 14:21 316,640 --a------ c:\windows\WMSysPr9.prx

2009-02-27 01:18 . 2009-02-27 02:42 <DIR> d-------- c:\program files\Winamp

2009-02-27 01:18 . 2009-02-27 01:26 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\Winamp

2009-02-27 01:16 . 2009-02-27 01:16 <DIR> d-------- c:\program files\SA Dictionary 2008 Beta 4

2009-02-27 01:15 . 2009-02-27 01:15 <DIR> d-------- c:\program files\RapidTyping

2009-02-27 01:15 . 2009-02-27 01:15 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\RapidTyping

2009-02-27 01:14 . 2009-02-27 05:19 <DIR> d-------- c:\program files\DivX

2009-02-27 01:13 . 2009-02-27 01:14 <DIR> d-------- c:\program files\DirectX Nov 2008 Setup Redist 6.0.2800.1106

2009-02-27 01:12 . 2009-02-27 01:12 <DIR> d-------- c:\program files\DC++

2009-02-27 01:11 . 2009-02-27 01:11 <DIR> d-------- c:\program files\Webteh

2009-02-27 01:11 . 2009-02-27 02:39 <DIR> d-------- c:\program files\BS.Player ControlBar

2009-02-27 01:10 . 2009-02-28 21:15 <DIR> d-------- c:\program files\CometBird

2009-02-27 01:10 . 2009-02-27 01:10 <DIR> d-------- c:\documents and settings\SAKATA\Application Data\CometNetwork

2009-02-27 01:10 . 2009-02-27 01:10 0 --a------ c:\windows\nsreg.dat

2009-02-27 01:09 . 2009-03-03 17:10 <DIR> d-------- c:\program files\BitComet

2009-02-27 01:09 . 2009-03-02 06:08 <DIR> d-------- C:\Downloads

2009-02-27 01:08 . 2009-02-27 01:08 <DIR> d-------- c:\windows\system32\Adobe

2009-02-27 01:08 . 2009-01-16 18:34 499,712 --a------ c:\windows\system32\msvcp71.dll

2009-02-27 01:08 . 2009-01-16 18:34 348,160 --a------ c:\windows\system32\msvcr71.dll

2009-02-27 01:05 . 2009-02-27 01:05 <DIR> d-------- c:\program files\Common Files\Adobe

2009-02-26 23:08 . 2009-02-26 23:08 <DIR> d---s---- c:\documents and settings\SAKATA\UserData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 18:59 --------- d-----w c:\documents and settings\SAKATA\Application Data\Skype

2009-03-03 14:57 --------- d-----w c:\documents and settings\SAKATA\Application Data\skypePM

2009-03-01 01:28 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-26 21:20 --------- d-----w c:\program files\Skype

2009-02-26 21:20 --------- d-----w c:\program files\Google

2009-02-26 21:20 --------- d-----w c:\program files\Common Files\Skype

2009-02-26 20:57 --------- d-----w c:\program files\VDOTool

2009-02-26 20:55 --------- d-----w c:\program files\KWorld Multimedia

2009-02-26 20:49 --------- d-----w c:\program files\Realtek

2009-02-26 20:49 --------- d-----w c:\program files\Common Files\InstallShield

2009-02-26 20:38 --------- d-----w c:\program files\microsoft frontpage

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll

2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll

2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll

2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll

2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll

2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-02-26 171448]

"BitComet"="c:\program files\BitComet\BitComet.exe" [2009-01-20 2523960]

"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-03-25 507904]

"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-08-04 1667584]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-09-09 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TBPanel"="c:\program files\VDOTool\TBPanel.exe" [2008-01-09 2169384]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-01-09 13508608]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-01-09 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 136600]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]

"nwiz"="nwiz.exe" [2008-01-09 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\SAKATA\Start Menu\Programs\Startup\

is-9LHA7.lnk - c:\documents and settings\SAKATA\Desktop\New Folder\gfhgfhgfhfghfghgfhgfhfghf\Virus Removal Tool\is-9LHA7\startup.exe [2009-03-02 65536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7246:TCP"= 7246:TCP:BitComet 7246 TCP

"7246:UDP"= 7246:UDP:BitComet 7246 UDP

R1 is-9LHA7drv;is-9LHA7drv;c:\windows\system32\drivers\57567480.sys [2009-03-02 148496]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2009-02-26 672128]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2009-02-26 28672]

S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [2009-02-28 410976]

S3 uti3ndu1;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti3ndu1.sys --> c:\windows\system32\Drivers\uti3ndu1.sys [?]

S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-02-27 234888]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

aewosmymm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bd8da4d-0449-11de-8f54-00138fa4c98a}]

\Shell\AutoRun\command - I:\viewfiles.exe

\Shell\explore\command - I:\viewfiles.exe

\Shell\open\command - I:\viewfiles.exe

.

- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bsplayer-search.com/startpage

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Winamp Search

IE: &С&валяне &с BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &С&валяне на всички с BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: &С&валяне на всичкото видео с BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12}

FF - ProfilePath - c:\documents and settings\SAKATA\Application Data\Mozilla\Firefox\Profiles\zs0ofgrg.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=

FF - prefs.js: browser.search.selectedEngine - Winamp Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=

FF - component: c:\documents and settings\SAKATA\Application Data\Mozilla\Firefox\Profiles\zs0ofgrg.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - component: c:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-03 21:21:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-03-03 21:22:18

ComboFix-quarantined-files.txt 2009-03-03 19:22:16

Pre-Run: 71 912 648 704 bytes free

Post-Run: 72,004,112,384 bytes free

264 --- E O F --- 2009-03-02 22:14:17

3 март 200917 г.

Здравей SAKATAR! Аз ще Ви поема, като "пациент". Утре рано сутринта ще Ви напиша инструкции.

Лека вечер!

3 март 200917 г.

Здравей SAKATAR! Аз ще Ви поема, като "пациент". Утре рано сутринта ще Ви напиша инструкции.

Лека вечер!

OK

Благодаря предварително

Лека :rolleyes:

4 март 200917 г.

1. Изтрий твоя ComboFix.

2. Изтегли нов от: тук

3. Запази го на десктопа.

4. Отвори Notepad и чрез copy/paste постави:

Killall::


File::

c:\windows\system32\drivers\57567480.sys

c:\windows\system\sshbx5.exe


Driver::

is-9LHA7drv


NetSvc::

aewosmymm


Dirlook::

c:\documents and settings\All Users\Application Data\{EC0615F3-39C5-40A5-9C90-EABA4ACA5B7F}

C:\csscod

c:\windows\system32\bits


Registry::

[-HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bd8da4d-0449-11de-8f54-00138fa4c98a}]

Запази файла с името CFScript.txt и го постави върху ComboFix.

След като програмата приключи ще изведе лог файла. Чрез Copy/Paste поставете информацията тук.

Освен лога от ComboFix:

1. Изтегли: HiJackThis

2. Инсталирай го.

3. Стартирай HiJackThis

4. Кликни на Open the Misc Tools section

5. Избери Generate StartupList log

6. Копирай съдържанието на лога и го постави тук, заедно с този на ComboFix.

Редактирано 4 март 200917 г. от Fixer (преглед на промените)

4 март 200917 г.

ComboFix

ComboFix 09-03-03.01 - SAKATA 2009-03-04 16:24:17.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1251.1.1033.18.1023.540 [GMT 2:00]

Running from: c:\documents and settings\SAKATA\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\SAKATA\Desktop\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\windows\system\sshbx5.exe

c:\windows\system32\drivers\57567480.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system\sshbx5.exe

c:\windows\system32\drivers\57567480.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IS-9LHA7DRV

-------\Service_is-9LHA7drv

((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))

.

2009-03-02 21:25 . 2009-03-02 21:25 <DIR> d-------- C:\albundy

2009-03-02 06:14 . 2009-03-04 16:25 13,606,944 --ahs---- c:\windows\system32\drivers\fidbox.dat

2009-03-02 06:14 . 2009-03-04 16:26 161,576 --ahs---- c:\windows\system32\drivers\fidbox.idx