Премини към съдържанието
SilentScream

Компютъра засича [Решен]

Препоръчан отговор


Има някакъв процес - axietlicuw.exe ,който товари понякога процесора на 100%

Ето логове:

Malwarebytes' Anti-Malware 1.41

Database version: 2830

Windows 5.1.2600 Service Pack 3

20.9.2009 г. 13:15:00

mbam-log-2009-09-20 (13-15-00).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 161020

Time elapsed: 30 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\gasfkyvghjcsmy.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\gasfkyvghjcsmy.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HJthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:31:16, on 20.9.2009 г.

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\vsnpstd3.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\axietlicuw.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\axietlicuw.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Alerter AlerterAlerterAntiVirScheduler (AlerterAlerterAntiVirScheduler) - Unknown owner - C:\WINDOWS\system32\axietlicuw.exe

O23 - Service: Alerter AlerterAntiVirScheduler (AlerterAntiVirScheduler) - Unknown owner - C:\WINDOWS\TEMP\axietlicuw.exe (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--

End of file - 4426 bytes

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Здравейте SilentScream!

Аз съм Maniac и ще Ви помагам да почистите вашата система от зловреден софтуер. Анализа на логовете, както и премахването на зловредния софтуер, може да отнеме време, затова моля бъдете търпеливи. Моля, имайте предвид следното:

  • Аз ще Ви помагам само за почистването на вашата система от зловреден софтуер. За всякакви други проблеми, моля създайте нова тема в съответния форум и опишете детайлно проблема Ви.
  • Решението се отнася само за този проблем и само на този компютър.
  • Следвайте инструкциите ми стриктно, докато не Ви кажа, че системата Ви е напълно чиста. Това, че симптомите са изчезнали, не значи че всичко е наред.
  • Ако не разбирате нещо, моля Ви попитайте ме, а не рискувайте. По-добре е малко да се позабавим, отколкото да усложним нещата.
  • При наличие на руткит, аз не гарантирам 100% почистване.
  • Проявете търпение, защото процедурата по почистването на вашата система може да отнеме известно време, в зависимост от вида на зловредния софтуер.
  • Цялата кореспонденция минава през тази тема, не създавайте нова тема и не използвайте друга тема за тази цел.

Стъпка 1:

Изтеглете Security Check от screen317 от тук или тук и го запаметете на вашия десктоп.

  • Кликнете два пъти върху SecurityCheck.exe и следвайте инструкциите.
  • Накрая, автоматично ще се отвори текстов документ, наречен checkup.txt, моля поставете съдържанието му в следващия Ви коментар в тази тема.

Стъпка 2:

Изтеглете RootRepeal от тук

Разархивирайте го на вашия десктоп.

  • Кликнете два пъти върху RootRepeal.exe , за да стартирате програмата
  • Кликнете на таба Report в долната част на прозореца
  • Кликнете на бутона Scan
  • Сложете отметки пред следното:


  • Drivers

  • Processes

  • SSDT

  • Hidden Services

  • Кликнете на бутона OK
  • На следващия диалогов прозорец, сложете отметки преди всички дялове (C:\ , D:\ ....)
  • Кликнете на OK, за да започне процеса на сканиране

Бележка: Процеса на сканиране може да отнеме време. Моля,
не стартирайте
никакви програми, докато програмата сканира.

  • Когато сканирането завърши успешно ще се появи бутона Save Report
  • Кликнете върху Save Report и запишете лог файла на вашия десктоп, с име RootRepeal.txt
  • Отворете File, след което Exit , за да затворите програмата.

Копирайте и поставете съдържанието на RootRepeal.txt в следващия си пост.

  • Харесва ми 1

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3 (UAC is disabled!)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````````````````````````

DNS Vulnerability Check:

`````````End of Log```````````

RootRepeal

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/20 13:55

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAC588000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79AB000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9542000 Size: 49152 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xf7a5b60c

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xf7a5b5f8

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xf7a5b5fd

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xf7a5b607

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0xf7a5b602

Hidden Services

-------------------

Service Name: gasfkyowujeyri

Image Path: C:\WINDOWS\system32\drivers\gasfkyuejfgliy.sys

==EOF==

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Стъпка 1:

Отворете RootRepeal и направете сканиране с нея, но само на файловете. Когато тя открие:

Service Name: gasfkyowujeyri

Image Path: C:\WINDOWS\system32\drivers\gasfkyuejfgliy.sys

Кликнете с десен бутон на мишката върху него и изберете Wipe. Така RootRepeal следва да се погрижи за отстраняването му.

Накрая рестартирайте компютъра си.

Стъпка 2:

Изтеглете ComboFix от някой от следните линкове:

Линк 1

Линк 2

* ВАЖНО !!! Запазете ComboFix.exe на вашия десктоп

  • Изключете вашата антивирусна и антишпионска програма, обикновено това става чрез натискане на десния бутон на мишката върху иконата на програма в системния трей.

Бележка: Ако не можете я спрете или не сте сигурни коя програма да изключите, моля прегледайте информацията от този линк: How to Disable your Security Programs

  • Преименувайте ComboFix.exe на Tool.exe

  • Стартирайте Tool.exe и следвайте инструкциите.

Бележка: ComboFix ще се стартира без инсталирана Recovery Console.

  • Като част от неговата работа, ComboFix ще провери дали Microsoft Windows Recovery Console е инсталирана. Предвид бързо развиващия се зловреден софтуер е силно препоръчително да бъде инсталирана преди премахването на зловредния софтуер. Това ще Ви позволи да влезете в специален recovery/repair режим, който ще ни позволи по-лесно да решите проблем, който би могъл да възникне при премахване на зловредния софтуер.

  • Следвайте инструкциите, за да позволите на ComboFix да изтегли и инсталира Microsoft Windows Recovery Console. В един момент ще бъдете попитани дали сте съгласни с лицензното споразумение. Необходимо е да потвърдите, че сте съгласни, за да инсталирате Microsoft Windows Recovery Console.

** Забележете: Ако Microsoft Windows Recovery Console е вече инсталирана, ComboFix ще продължи към процеса по премахване на зловредния софтуер.

RcAuto1.gif

След като Microsoft Windows Recovery Console е инсталирана, използвайки ComboFix, Вие ще видите следното съобщение:

whatnext.png

Изберете Yes, за да продължи сканирането за зловреден софтуер.

Когато процесът приключи успешно, инструментът ще създаде лог файл. Моля, включете съдържанието на C:\ComboFix.txt в следващия Ви коментар в тази тема.

Бележка:

  1. Моля, не движете мишката, докато ComboFix работи. Това може да наруши процеса на работа.
  2. ComboFix ще нулира всички настройки на Microsoft Internet Explorer, включително да направи IE браузър по подразбиране.
  3. ComboFix ще изключи autorun функцията на ВСИЧКИ CD, Floppy и USB устройства, за да помогне при премахването на зловредния софтуер и Ви защити от бъдещи вируси/заплахи, които поразяват чрез autorun. Ако това е проблем за вас - моля, уведомете ме.
  4. ComboFix ще изключи вашата интернет връзка. Интернет връзката ще се възстанови автоматично, преди ComboFix да завърши процеса на работа. При проблем, той ще прекрати интернет връзката. За да възстановите интернет връзката си, рестартирайте компютъра си.
  5. В случай на проблем с ComboFix, той може да създаде лог файл. Моля, включете съдържанието на C:\BUG.txt в следващия Ви коментар в тази тема.

Работата на ComboFix, може да отнеме до 20-30 минути, за да завърши, моля имайте търпение.

Моля, не прикачвайте лог файла/овете от програмата, а го копирайте и поставете в следващия Ви коментар в тази тема.

  • Харесва ми 2

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

ComboFix 09-09-18.02 - Petio 09.2009 г. 14:18.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.2047.1467 [GMT 3:00]

Running from: c:\documents and settings\Petio\Desktop\Tool.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Alcmtr.exe

c:\windows\system32\drivers\gasfkyuejfgliy.sys

c:\windows\system32\gasfkydyebxnkm.dat

c:\windows\system32\gasfkyitjcfmml.dat

c:\windows\system32\gasfkyktpnlgtv.dll

c:\windows\system32\gasfkyyxypixbo.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkyowujeyri

-------\Service_gasfkyowujeyri

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))

.

2009-09-20 09:41 . 2009-09-19 15:40 33792 ----a-w- c:\windows\system32\axietlicuw.exe

2009-09-18 16:32 . 2008-04-13 21:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2009-09-18 16:32 . 2008-04-13 21:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2009-09-18 16:32 . 2008-04-13 21:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2009-09-18 16:32 . 2008-04-13 21:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2009-09-18 16:32 . 2008-04-13 21:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2009-09-18 16:32 . 2008-04-13 21:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2009-09-18 16:32 . 2008-04-13 21:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2009-09-18 16:32 . 2008-04-13 21:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2009-09-18 16:32 . 2008-04-13 21:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2009-09-18 16:32 . 2008-04-13 21:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2009-09-18 16:32 . 2008-04-13 21:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2009-09-18 16:32 . 2008-04-13 21:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2009-09-18 16:31 . 2008-04-13 21:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2009-09-18 16:31 . 2008-04-13 21:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2009-09-18 16:31 . 2008-04-14 02:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-09-18 16:31 . 2008-04-14 02:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-09-18 16:29 . 2006-09-19 06:07 827392 ----a-w- c:\windows\vsnpstd3.exe

2009-09-18 16:29 . 2004-06-15 12:18 53248 ----a-w- c:\windows\system32\dsnpstd3.dll

2009-09-18 16:29 . 2009-09-18 16:29 -------- d-----w- c:\program files\Common Files\snpstd3

2009-09-18 16:29 . 2007-03-27 15:19 10252544 ----a-w- c:\windows\system32\drivers\snpstd3.sys

2009-09-18 16:29 . 2007-03-12 08:41 61440 ----a-w- c:\windows\system32\vsnpstd3.dll

2009-09-18 16:29 . 2005-11-23 09:55 53248 ----a-w- c:\windows\system32\csnpstd3.dll

2009-09-18 16:29 . 2004-11-05 07:17 57344 ----a-w- c:\windows\system32\rsnpstd3.dll

2009-09-18 16:29 . 2004-08-06 12:48 20480 ----a-w- c:\windows\usnpstd3.exe

2009-09-18 16:22 . 2004-08-09 14:43 94208 ----a-w- c:\windows\amcap.exe

2009-09-18 16:20 . 2008-04-13 21:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2009-09-18 16:20 . 2008-04-13 21:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2009-09-18 16:19 . 2008-04-13 21:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-09-18 16:19 . 2008-04-13 21:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-09-17 15:29 . 2009-09-17 15:29 -------- d-----w- c:\windows\system32\AGEIA

2009-09-17 15:29 . 2009-09-17 15:29 -------- d-----w- c:\program files\AGEIA Technologies

2009-09-17 15:28 . 2009-09-17 15:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-17 15:18 . 2009-09-19 13:53 -------- d-----w- c:\program files\Need for Speed - Shift

2009-09-15 21:08 . 2009-09-16 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-15 21:07 . 2009-09-15 21:07 -------- d-sh--w- c:\documents and settings\Petio\PrivacIE

2009-09-15 21:07 . 2009-09-19 11:20 -------- d-----w- c:\documents and settings\Petio\Local Settings\Application Data\AskToolbar

2009-09-13 10:16 . 2009-09-14 11:29 12328 ----a-w- c:\documents and settings\Petio\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-13 10:15 . 2009-09-13 10:15 -------- d-----w- c:\documents and settings\Petio\Local Settings\Application Data\ATI

2009-09-13 10:15 . 2009-09-13 10:15 -------- d-----w- c:\documents and settings\Petio\Application Data\ATI

2009-09-13 10:15 . 2009-09-13 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2009-09-13 09:53 . 2009-09-13 09:53 -------- d-----w- c:\documents and settings\Petio\Application Data\Media Player Classic

2009-09-13 09:51 . 2009-09-13 09:51 -------- d-----w- c:\documents and settings\Petio\Application Data\GRETECH

2009-09-13 09:20 . 2009-09-13 09:20 -------- d-----w- c:\program files\Ask.com

2009-09-13 09:20 . 2009-09-13 09:20 -------- d-----w- c:\program files\GRETECH

2009-09-13 09:14 . 2009-09-13 09:14 -------- d-----w- c:\program files\Elaborate Bytes

2009-09-13 08:52 . 2009-09-13 08:52 -------- d-----w- c:\program files\MSBuild

2009-09-13 08:52 . 2009-09-14 08:43 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-13 08:52 . 2009-09-13 08:52 -------- d-----w- c:\program files\Reference Assemblies

2009-09-13 08:52 . 2006-06-29 10:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-09-11 17:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-09-11 17:59 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2009-09-11 17:50 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-09-11 17:50 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-09-11 17:50 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-09-11 17:48 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-09-11 17:44 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-09-11 17:08 . 2009-09-11 17:08 -------- d-----w- c:\windows\system32\Lang

2009-09-11 14:00 . 2006-08-01 12:02 49152 ----a-w- c:\windows\system32\ChCfg.exe

2009-09-11 14:00 . 2006-07-22 04:40 143360 ----a-w- c:\windows\system32\RtlCPAPI.dll

2009-09-11 14:00 . 2009-09-11 14:00 -------- d-----w- c:\windows\system32\RTCOM

2009-09-11 14:00 . 2006-07-21 13:14 86016 ----a-w- c:\windows\SoundMan.exe

2009-09-11 14:00 . 2006-05-16 15:04 2879488 ----a-w- c:\windows\SkyTel.exe

2009-09-11 14:00 . 2006-09-12 16:27 4381184 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys

2009-09-11 14:00 . 2006-09-01 11:35 364544 ----a-w- c:\windows\RtlUpd.exe

2009-09-11 14:00 . 2006-05-04 13:35 9709568 ----a-w- c:\windows\RTLCPL.exe

2009-09-11 14:00 . 2006-09-12 13:58 16264192 ----a-w- c:\windows\RTHDCPL.exe

2009-09-11 14:00 . 2006-09-12 12:12 2155008 ----a-w- c:\windows\MicCal.exe

2009-09-11 14:00 . 2006-05-04 13:26 2808832 ----a-w- c:\windows\alcwzrd.exe

2009-09-11 13:14 . 2009-09-11 13:14 -------- d-----w- c:\program files\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-20 10:50 . 2009-09-11 10:04 -------- d-----w- c:\documents and settings\Petio\Application Data\Skype

2009-09-19 15:39 . 2009-09-11 09:06 -------- d-----w- c:\documents and settings\Petio\Application Data\uTorrent

2009-09-19 15:15 . 2009-09-11 10:07 -------- d-----w- c:\documents and settings\Petio\Application Data\skypePM

2009-09-18 16:29 . 2009-09-11 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-13 09:53 . 2009-09-13 09:18 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-09-13 09:49 . 2009-09-13 09:21 -------- d-----w- c:\documents and settings\Petio\Application Data\Winamp

2009-09-13 09:24 . 2009-09-13 09:21 -------- d-----w- c:\program files\Winamp

2009-09-11 14:00 . 2009-09-11 08:59 -------- d-----w- c:\program files\Realtek

2009-09-11 10:07 . 2009-09-11 10:07 48 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-09-11 10:04 . 2009-09-11 10:04 -------- d-----w- c:\program files\Skype

2009-09-11 10:04 . 2009-09-11 10:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-09-11 10:04 . 2009-09-11 10:04 -------- d-----w- c:\program files\Common Files\Skype

2009-09-11 10:00 . 2009-09-11 10:00 -------- d-----w- c:\program files\Trend Micro

2009-09-11 09:50 . 2009-09-11 09:50 0 ----a-w- c:\windows\nsreg.dat

2009-09-11 09:45 . 2009-09-11 09:19 -------- d-----w- c:\program files\ATI

2009-09-11 09:20 . 2009-09-11 09:20 0 ----a-w- c:\windows\ativpsrm.bin

2009-09-11 09:20 . 2009-09-11 09:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-11 09:19 . 2009-09-11 09:18 -------- d-----w- c:\program files\ATI Technologies

2009-09-11 09:18 . 2009-09-11 09:15 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-11 09:17 . 2009-09-11 08:59 -------- d-----w- c:\program files\Common Files\InstallShield

2009-09-11 09:15 . 2009-09-11 09:15 -------- d-----w- c:\program files\Avira

2009-09-11 09:15 . 2009-09-11 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-11 09:11 . 2009-09-11 09:11 -------- d-----w- c:\documents and settings\Petio\Application Data\Malwarebytes

2009-09-11 09:11 . 2009-09-11 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-11 09:06 . 2009-09-11 09:06 -------- d-----w- c:\program files\uTorrent

2009-09-11 08:56 . 2009-09-11 08:56 -------- d-----w- c:\documents and settings\Petio\Application Data\InstallShield

2009-09-11 08:50 . 2009-09-11 08:50 -------- d-----w- c:\program files\microsoft frontpage

2009-09-11 08:49 . 2009-09-11 08:49 -------- d-----w- c:\program files\Windows Media Connect 2

2009-09-11 08:44 . 2009-09-11 08:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-10 11:54 . 2009-09-11 09:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 11:53 . 2009-09-11 09:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-16 15:08 . 2009-09-13 09:18 178176 ----a-w- c:\windows\system32\unrar.dll

2009-08-14 10:36 . 2009-08-14 10:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll

2009-08-05 09:01 . 2008-04-14 02:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2008-04-14 02:42 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2008-04-14 02:41 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2008-04-14 02:41 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 00:15 . 2009-09-13 09:18 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-07-14 00:15 . 2009-09-13 09:18 685056 ----a-w- c:\windows\system32\divx.dll

2009-07-13 20:43 . 2008-04-14 02:42 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2008-04-14 02:42 915456 ----a-w- c:\windows\system32\wininet.dll

.

------- Sigcheck -------

[-] 2008-04-23 . 0484B919829B94B6EEC50D0AC607751A . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-04-02 16:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-12 16264192]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Downloads\\wrar39b1.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 AlerterAlerterAntiVirScheduler;Alerter AlerterAlerterAntiVirScheduler;c:\windows\system32\axietlicuw.exe service --> c:\windows\system32\axietlicuw.exe service [?]

S2 AlerterAntiVirScheduler;Alerter AlerterAntiVirScheduler;c:\windows\TEMP\axietlicuw.exe service --> c:\windows\TEMP\axietlicuw.exe service [?]

S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\lqpmmn.sys --> c:\windows\system32\drivers\lqpmmn.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 16:50]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Petio\Application Data\Mozilla\Firefox\Profiles\rnf5tfyn.default\

FF - prefs.js: browser.search.selectedEngine - Уикипедия (bg)

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-20 14:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2040)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2009-09-20 14:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-20 11:25

Pre-Run: 30 605 516 800 bytes free

Post-Run: 30 528 675 840 bytes free

264 --- E O F --- 2009-09-15 15:54


Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Стъпка 1:

Моля, отидете на Start --> Settings --> Control Panel --> Add or Remove Programs, и деинсталирайте следните програми (Ако присъстват в списъка):

AskToolbar

Стъпка 2:

1) Изтеглете този файл и го запазете на вашия десктоп:

http://rapidshare.com/files/282573439/sfcfiles.dll.html

2) Влезте в Safe Mode (само в Safe Mode):

За да влезете в Safe Mode , натискайте продължително F8 от клавиатурата докато компютъра се стартира преди логото на Windows да се е появило .

Ще се отвори Windows Advanced Menu с доста опции , откъдето изберете някое от "Safe ... " опциите , в случая Safe Mode

3) Копирайте файла и го поставете в:

c:\windows\system32\

Целта е да го заместите с вашия файл, защото вашият е инфектиран.

4) Накрая влезте в нормален режим (Излезте от Safe Mode).

Стъпка 3:

Отворете Notepad и чрез комбинацията copy/paste поставете следния текст:

http://www.kaldata.com/forums/index.php?showtopic=136617


Killall::


Collect::

c:\windows\system32\axietlicuw.exe

c:\windows\TEMP\axietlicuw.exe


File::

c:\windows\system32\drivers\lqpmmn.sys


Driver::

lqpmmn

Запазете файла с името CFScript.txt и го поставете върху ComboFix.

CFScriptB-4.gif

След като, програмата приключи ще Ви изведе лог файла. Отново чрез комбинацията от Copy/Paste поставете информацията тук.

  • Харесва ми 2

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

ComboFix 09-09-18.02 - Petio 09.2009 г. 14:59.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.2047.1565 [GMT 3:00]

Running from: c:\documents and settings\Petio\Desktop\Tool.exe

Command switches used :: c:\documents and settings\Petio\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\windows\system32\drivers\lqpmmn.sys"

file zipped: c:\windows\system32\axietlicuw.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\axietlicuw.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AlerterAlerterAntiVirScheduler

-------\Service_AlerterAlerterAntiVirScheduler

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))

.

2009-09-18 16:32 . 2008-04-13 21:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2009-09-18 16:32 . 2008-04-13 21:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2009-09-18 16:32 . 2008-04-13 21:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2009-09-18 16:32 . 2008-04-13 21:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2009-09-18 16:32 . 2008-04-13 21:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2009-09-18 16:32 . 2008-04-13 21:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2009-09-18 16:32 . 2008-04-13 21:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2009-09-18 16:32 . 2008-04-13 21:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2009-09-18 16:32 . 2008-04-13 21:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2009-09-18 16:32 . 2008-04-13 21:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2009-09-18 16:32 . 2008-04-13 21:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2009-09-18 16:32 . 2008-04-13 21:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2009-09-18 16:31 . 2008-04-13 21:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2009-09-18 16:31 . 2008-04-13 21:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2009-09-18 16:31 . 2008-04-14 02:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-09-18 16:31 . 2008-04-14 02:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-09-18 16:29 . 2006-09-19 06:07 827392 ----a-w- c:\windows\vsnpstd3.exe

2009-09-18 16:29 . 2004-06-15 12:18 53248 ----a-w- c:\windows\system32\dsnpstd3.dll

2009-09-18 16:29 . 2009-09-18 16:29 -------- d-----w- c:\program files\Common Files\snpstd3

2009-09-18 16:29 . 2007-03-27 15:19 10252544 ----a-w- c:\windows\system32\drivers\snpstd3.sys

2009-09-18 16:29 . 2007-03-12 08:41 61440 ----a-w- c:\windows\system32\vsnpstd3.dll

2009-09-18 16:29 . 2005-11-23 09:55 53248 ----a-w- c:\windows\system32\csnpstd3.dll

2009-09-18 16:29 . 2004-11-05 07:17 57344 ----a-w- c:\windows\system32\rsnpstd3.dll

2009-09-18 16:29 . 2004-08-06 12:48 20480 ----a-w- c:\windows\usnpstd3.exe

2009-09-18 16:22 . 2004-08-09 14:43 94208 ----a-w- c:\windows\amcap.exe

2009-09-18 16:20 . 2008-04-13 21:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2009-09-18 16:20 . 2008-04-13 21:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2009-09-18 16:19 . 2008-04-13 21:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-09-18 16:19 . 2008-04-13 21:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-09-17 15:29 . 2009-09-17 15:29 -------- d-----w- c:\windows\system32\AGEIA

2009-09-17 15:29 . 2009-09-17 15:29 -------- d-----w- c:\program files\AGEIA Technologies

2009-09-17 15:28 . 2009-09-17 15:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-17 15:18 . 2009-09-19 13:53 -------- d-----w- c:\program files\Need for Speed - Shift

2009-09-15 21:08 . 2009-09-16 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-15 21:07 . 2009-09-15 21:07 -------- d-sh--w- c:\documents and settings\Petio\PrivacIE

2009-09-13 10:16 . 2009-09-14 11:29 12328 ----a-w- c:\documents and settings\Petio\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-13 10:15 . 2009-09-13 10:15 -------- d-----w- c:\documents and settings\Petio\Local Settings\Application Data\ATI

2009-09-13 10:15 . 2009-09-13 10:15 -------- d-----w- c:\documents and settings\Petio\Application Data\ATI

2009-09-13 10:15 . 2009-09-13 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2009-09-13 09:53 . 2009-09-13 09:53 -------- d-----w- c:\documents and settings\Petio\Application Data\Media Player Classic

2009-09-13 09:51 . 2009-09-13 09:51 -------- d-----w- c:\documents and settings\Petio\Application Data\GRETECH

2009-09-13 09:20 . 2009-09-13 09:20 -------- d-----w- c:\program files\GRETECH

2009-09-13 09:14 . 2009-09-13 09:14 -------- d-----w- c:\program files\Elaborate Bytes

2009-09-13 08:52 . 2009-09-13 08:52 -------- d-----w- c:\program files\MSBuild

2009-09-13 08:52 . 2009-09-14 08:43 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-13 08:52 . 2009-09-13 08:52 -------- d-----w- c:\program files\Reference Assemblies

2009-09-13 08:52 . 2006-06-29 10:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-09-11 17:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-09-11 17:59 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2009-09-11 17:50 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-09-11 17:50 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-09-11 17:50 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-09-11 17:48 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-09-11 17:44 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-09-11 17:08 . 2009-09-11 17:08 -------- d-----w- c:\windows\system32\Lang

2009-09-11 14:00 . 2006-08-01 12:02 49152 ----a-w- c:\windows\system32\ChCfg.exe

2009-09-11 14:00 . 2006-07-22 04:40 143360 ----a-w- c:\windows\system32\RtlCPAPI.dll

2009-09-11 14:00 . 2009-09-11 14:00 -------- d-----w- c:\windows\system32\RTCOM

2009-09-11 14:00 . 2006-07-21 13:14 86016 ----a-w- c:\windows\SoundMan.exe

2009-09-11 14:00 . 2006-05-16 15:04 2879488 ----a-w- c:\windows\SkyTel.exe

2009-09-11 14:00 . 2006-09-12 16:27 4381184 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys

2009-09-11 14:00 . 2006-09-01 11:35 364544 ----a-w- c:\windows\RtlUpd.exe

2009-09-11 14:00 . 2006-05-04 13:35 9709568 ----a-w- c:\windows\RTLCPL.exe

2009-09-11 14:00 . 2006-09-12 13:58 16264192 ----a-w- c:\windows\RTHDCPL.exe

2009-09-11 14:00 . 2006-09-12 12:12 2155008 ----a-w- c:\windows\MicCal.exe

2009-09-11 14:00 . 2006-05-04 13:26 2808832 ----a-w- c:\windows\alcwzrd.exe

2009-09-11 13:14 . 2009-09-11 13:14 -------- d-----w- c:\program files\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-20 11:54 . 2009-09-11 10:04 -------- d-----w- c:\documents and settings\Petio\Application Data\Skype

2009-09-20 11:47 . 2008-04-23 15:38 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2009-09-19 15:39 . 2009-09-11 09:06 -------- d-----w- c:\documents and settings\Petio\Application Data\uTorrent

2009-09-19 15:15 . 2009-09-11 10:07 -------- d-----w- c:\documents and settings\Petio\Application Data\skypePM

2009-09-18 16:29 . 2009-09-11 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-13 09:53 . 2009-09-13 09:18 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-09-13 09:49 . 2009-09-13 09:21 -------- d-----w- c:\documents and settings\Petio\Application Data\Winamp

2009-09-13 09:24 . 2009-09-13 09:21 -------- d-----w- c:\program files\Winamp

2009-09-11 14:00 . 2009-09-11 08:59 -------- d-----w- c:\program files\Realtek

2009-09-11 10:07 . 2009-09-11 10:07 48 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-09-11 10:04 . 2009-09-11 10:04 -------- d-----w- c:\program files\Skype

2009-09-11 10:04 . 2009-09-11 10:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-09-11 10:04 . 2009-09-11 10:04 -------- d-----w- c:\program files\Common Files\Skype

2009-09-11 10:00 . 2009-09-11 10:00 -------- d-----w- c:\program files\Trend Micro

2009-09-11 09:50 . 2009-09-11 09:50 0 ----a-w- c:\windows\nsreg.dat

2009-09-11 09:45 . 2009-09-11 09:19 -------- d-----w- c:\program files\ATI

2009-09-11 09:20 . 2009-09-11 09:20 0 ----a-w- c:\windows\ativpsrm.bin

2009-09-11 09:20 . 2009-09-11 09:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-11 09:19 . 2009-09-11 09:18 -------- d-----w- c:\program files\ATI Technologies

2009-09-11 09:18 . 2009-09-11 09:15 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-11 09:17 . 2009-09-11 08:59 -------- d-----w- c:\program files\Common Files\InstallShield

2009-09-11 09:15 . 2009-09-11 09:15 -------- d-----w- c:\program files\Avira

2009-09-11 09:15 . 2009-09-11 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-11 09:11 . 2009-09-11 09:11 -------- d-----w- c:\documents and settings\Petio\Application Data\Malwarebytes

2009-09-11 09:11 . 2009-09-11 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-11 09:06 . 2009-09-11 09:06 -------- d-----w- c:\program files\uTorrent

2009-09-11 08:56 . 2009-09-11 08:56 -------- d-----w- c:\documents and settings\Petio\Application Data\InstallShield

2009-09-11 08:50 . 2009-09-11 08:50 -------- d-----w- c:\program files\microsoft frontpage

2009-09-11 08:49 . 2009-09-11 08:49 -------- d-----w- c:\program files\Windows Media Connect 2

2009-09-11 08:44 . 2009-09-11 08:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-10 11:54 . 2009-09-11 09:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 11:53 . 2009-09-11 09:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-16 15:08 . 2009-09-13 09:18 178176 ----a-w- c:\windows\system32\unrar.dll

2009-08-14 10:36 . 2009-08-14 10:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll

2009-08-05 09:01 . 2008-04-14 02:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2008-04-14 02:42 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2008-04-14 02:41 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2008-04-14 02:41 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 00:15 . 2009-09-13 09:18 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-07-14 00:15 . 2009-09-13 09:18 685056 ----a-w- c:\windows\system32\divx.dll

2009-07-13 20:43 . 2008-04-14 02:42 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2008-04-14 02:42 915456 ------w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-12 16264192]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Downloads\\wrar39b1.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 AlerterAntiVirScheduler;Alerter AlerterAntiVirScheduler;c:\windows\TEMP\axietlicuw.exe service --> c:\windows\TEMP\axietlicuw.exe service [?]

S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\lqpmmn.sys --> c:\windows\system32\drivers\lqpmmn.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Petio\Application Data\Mozilla\Firefox\Profiles\rnf5tfyn.default\

FF - prefs.js: browser.search.selectedEngine - Уикипедия (bg)

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-20 15:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(668)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-09-20 15:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-20 12:05

ComboFix2.txt 2009-09-20 11:25

Pre-Run: 30 516 666 368 bytes free

Post-Run: 30 481 850 368 bytes free

243 --- E O F --- 2009-09-15 15:54

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

1) Изтеглете: ESET Online Scanner

2) Стартирайте esetsmartinstaller_enu.exe

3) Сложете отметка на YES, I accept the Terms of Use и изберете Start

4) Скенерът ще започне да изтегля компонентите, които са му необходими.

5) Уверете се, че има отметки на следните редове, включително и тези от менюто Advanced Settings:


  • Remove found threats
  • Scan archives
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

И накрая изберете Start

6) Скенерът ще започне да изтегля последните дефиниции.

7) След, като сканирането завърши изберете Finish.

8) Отидете в:

C:\Program Files\ESET\ESET Online Scanner

Отворете файла log.txt , копирайте съдържанието му и го поставете в следващия си пост тук.

  • Харесва ми 2

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

# version=6

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=f3e85db39be7a145834736fea22610d1

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2009-09-20 01:15:43

# local_time=2009-09-20 04:15:43 (+0200, FLE Daylight Time)

# country="Bulgaria"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1793 37 100 100 874316875000

# scanned=73963

# found=11

# cleaned=11

# scan_time=3736

C:\Documents and Settings\Petio\Desktop\unl-nfsstrn.exe a variant of Win32/Kryptik.AND trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Petio\Desktop\Need For Speed Shift PLUS 1 Trainer\Need For Speed Shift PLUS 1 Trainer.rar a variant of Win32/Kryptik.AND trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\[4]-Submit_2009-09-20_14.59.40.zip a variant of Win32/Kryptik.AMZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyuejfgliy.sys.vir a variant of Win32/Rootkit.Kryptik.P trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\sqkvi ;d\AAAAAAAAAAAAAAA\pozdravi.exe Win32/Skogazz.A worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E92BDB16-60E1-4627-BA01-23A951FF2204}\RP28\A0005504.dll Win32/Olmarik.MF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E92BDB16-60E1-4627-BA01-23A951FF2204}\RP28\A0006542.sys a variant of Win32/Rootkit.Kryptik.P trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E92BDB16-60E1-4627-BA01-23A951FF2204}\RP29\A0006661.exe a variant of Win32/Kryptik.AMZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E92BDB16-60E1-4627-BA01-23A951FF2204}\RP29\A0006812.exe a variant of Win32/Kryptik.AND trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E92BDB16-60E1-4627-BA01-23A951FF2204}\RP29\A0006813.exe Win32/Skogazz.A worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\instal\Nero7 Premium Reloaded v.7.5.9.1\Nero7.iso probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Всичко би трябвало да е наред. Как чувстваш системата си? Архивирай папката Qoobox, която се намира в C:\ и ми я изпрати.

  • Харесва ми 3

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/15 16:51

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: PCI_PNP6208

Image Path: \Driver\PCI_PNP6208

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB3957000 Size: 49152 File Visible: No Signed: -

Status: -

Name: sprz.sys

Image Path: sprz.sys

Address: 0xB7EA6000 Size: 1052672 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x89c458a0

#: 041 Function Name: NtCreateKey

Status: Hooked by "sprz.sys" at address 0xb7ea70e0

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "sprz.sys" at address 0xb7ec5ca4

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "sprz.sys" at address 0xb7ec6032

#: 119 Function Name: NtOpenKey

Status: Hooked by "sprz.sys" at address 0xb7ea70c0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x89c44cb0

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x89c450d0

#: 160 Function Name: NtQueryKey

Status: Hooked by "sprz.sys" at address 0xb7ec610a

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "sprz.sys" at address 0xb7ec5f8a

#: 247 Function Name: NtSetValueKey

Status: Hooked by "sprz.sys" at address 0xb7ec619c

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x89c456d0

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x89c454f0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x89c44ee0

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x89c45310

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Division_ss, моля следвайте инструкциите от този линк:

http://www.kaldata.com/forums/index.php?showtopic=132819

Създайте собствена тема и там публикувайте информацията.

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Регистрирайте се или влезете в профила си за да коментирате

Трябва да имате регистрация за да може да коментирате това

Регистрирайте се

Създайте нова регистрация в нашия форум. Лесно е!

Нова регистрация

Вход

Имате регистрация? Влезте от тук.

Вход

×

Информация

Поставихме бисквитки на устройството ви за най-добро потребителско изживяване. Можете да промените настройките си за бисквитки, или в противен случай приемаме, че сте съгласни с нашите условия за ползване.