Премини към съдържанието
  • Добре дошли!

    Добре дошли в нашите форуми, пълни с полезна информация. Имате проблем с компютъра или телефона си? Публикувайте нова тема и ще намерите решение на всичките си проблеми. Общувайте свободно и открийте безброй нови приятели.

    Моля, регистрирайте се за да публикувате тема и да получите пълен достъп до всички функции.

     

Как да премахна Win32.TDSS.rtk? [Решен]


Препоръчан отговор


Здравейте! Имам проблем с троянеца Win32.TDSS.rtk. Използвах Spybot S&D, който открива натрапника, но не може да го премахне. Уж дава, че проблемът е оправен, но при ново сканиране Win32.TDSS.rtk излиза наново. Някой може ли да ме насочи как да премахна мошеника?

Линк към този отговор
Сподели в други сайтове

Изпълнете стъпките от тази тема => http://www.kaldata.com/forums/index.php?showtopic=132819

и публикувайте нужните логове и някой колега ще ви помогне.

Линк към този отговор
Сподели в други сайтове
' date='07 октомври 2009 - 21:19 ' timestamp='1254943163' post='1528733']

Изпълнете стъпките от тази тема => http://www.kaldata.com/forums/index.php?showtopic=132819

и публикувайте нужните логове и някой колега ще ви помогне

Ето резултатите от Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.41

Версия на базата от данни: 2921

Windows 5.1.2600 Service Pack 3

07.10.2009 г. 23:02:25

mbam-log-2009-10-07 (23-02-25).txt

Тип сканиране: Пълно сканиране (C:\|D:\|E:\|)

Сканирани обекти: 159763

Изминало време: 24 minute(s), 55 second(s)

Заразени процеси в паметта: 0

Заразени модули в паметта: 1

Заразени ключове в регистратурата: 9

Заразени стойности в регистратурата: 21

Заразени информационни обекти в регистратурата: 5

Заразени папки: 0

Заразени файлове: 20

Заразени процеси в паметта:

(Не бяха открити заплахи)

Заразени модули в паметта:

\\?\globalroot\systemroot\system32\gasfkympetueex.dll (Rootkit.TDSS) -> Delete on reboot.

Заразени ключове в регистратурата:

HKEY_CLASSES_ROOT\absolutetransfer.absolutetransfer (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\absolutetransfer.absolutetransfer.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\msvbcr40.msvbcr40 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\msvbcr40.msvbcr40.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2756bad7-2f9f-47ef-ae6d-8d39cceb396f} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mxlivemedia (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgMgr (Malware.Trace) -> Quarantined and deleted successfully.

Заразени стойности в регистратурата:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb87 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd8834 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga7860 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc7927 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb2794 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1446 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga4592 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc3035 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb3867 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd5776 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga7618 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc6642 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb3868 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd9550 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga3074 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4433 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb5477 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd7337 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga6739 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc3288 (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2756bad7-2f9f-47ef-ae6d-8d39cceb396f} (Trojan.BHO) -> Quarantined and deleted successfully.

Заразени информационни обекти в регистратурата:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Заразени папки:

(Не бяха открити заплахи)

Заразени файлове:

\\?\globalroot\systemroot\system32\gasfkympetueex.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\gasfkyolespwib.sys (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\gasfkyfeoeiwwk.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\gasfkympetueex.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\gasfkynywkvtmd.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\Temp\gasfkymnsspulptn.tmp (Rootkit.TDSS) -> Delete on reboot.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0206802.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0206809.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0206812.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207810.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207812.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207835.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207836.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207848.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207851.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207861.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207864.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1395F737-EBA7-4661-89DB-578518AF59F4}\RP730\A0207871.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wvpqawlfifle.exe (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Тани\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

Не знам дали стъпка 4 е необходима за изпълнение, но имам проблем с изтеглянето на програмата оттам. Моля отговорете.

Линк към този отговор
Сподели в други сайтове

Явно колегите в момента не са онлайн. :baby:

Следвайте следните стъпки:

Здравейте,

СТЪПКА 1

Отворете Notepad и с copy/paste въведете следната информация:

@ECHO OFF

IF EXIST log.txt DEL log.txt

ECHO Deleting files>>log.txt

FOR %%g in (

c:\windows\system32\gasfky*.dll) DO (

IF EXIST %%g (

ATTRIB -r -s -h %%g

DEL %%g

IF EXIST %%g (

ECHO %%g not deleted>>log.txt

) ELSE (

ECHO %%g deleted successfully>>log.txt)

) ELSE (

ECHO %%g not found>>log.txt))

START NOTEPAD.EXE log.txt

DEL %0

Запазете файла с име fix.bat и го стартирайте.

Файла трябва да изглежда така - bat_icon.gif

СТЪПКА 2

*. Временно спрете защитата на антивирусната си програма в реално време. (ако е инсталирана такава).

*. Изтеглете Combofix.

*. Запазете го на Десктопа.

*. Отворете Start => run => и въведете следната команда:

"%userprofile%\desktop\ComboFix.exe" /KillAll

*. По време на сканиране от страна на ComboFix не стартирайте никакви други приложения, не натискайте клавиши от клавиатурата и не местете мишката !

*. Публикувайте лог файла, който ще се създаде след рестарта на компютъра в следващия си пост.

След това ще помоля Maniac да ви поеме, защото аз няма да съм онлайн няколко дена...

Линк към този отговор
Сподели в други сайтове

Много благодаря за помощта, Георги. След сканирането с Malwarebytes' Anti-Malware троянецът изчезна и поне засега не показва признаци на присъствие в моето PC. Така че не се наложи да използвам Combofix. Успех на теб и екипа ви!


Линк към този отговор
Сподели в други сайтове

Здравейте вече от мен!

За съжаление, MalwareBytes' Anti-Malware не винаги успява да се справи с руткита, макар понякога да показва, че го е направила. Силно Ви препоръчвам да продължим, за да се уверим, че наистина сте чист.

Линк към този отговор
Сподели в други сайтове

Здравейте отново. След кратък размисъл реших да последвам съвета ви. Ето лога след сканирането с Combofix

ComboFix 09-10-07.05 - Тани 10.2009 г. 18:48.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.194 [GMT 3:00]

Running from: c:\documents and settings\Тани\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\~WRD0002.tmp

c:\windows\Installer\7674c.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\drivers\b5e20975.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkyqeaxwyrf

-------\Service_gasfkyqeaxwyrf

-------\Service_b5e20975

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\Тани\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 15:54 . 2008-08-30 14:01 516128 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-10-08 15:54 . 2008-08-30 14:01 4940 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-10-08 15:54 . 2008-08-30 14:01 2562592 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-10-08 15:54 . 2008-08-30 14:01 23196 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-10-08 13:51 . 2008-08-30 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-10-07 18:47 . 2008-07-14 14:33 -------- d-----w- c:\documents and settings\Тани\Application Data\Skype

2009-10-07 18:46 . 2008-07-14 14:43 -------- d-----w- c:\documents and settings\Тани\Application Data\skypePM

2009-10-07 08:23 . 2009-01-04 08:52 -------- d-----w- c:\documents and settings\Тани\Application Data\CoreFTP

2009-09-23 18:38 . 2009-05-30 09:14 -------- d-----w- c:\documents and settings\Тани\Application Data\uTorrent

2009-09-23 15:53 . 2008-08-30 14:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-09-23 15:53 . 2008-08-30 14:02 107547 ----a-w- c:\windows\system32\drivers\klin.dat

2009-07-19 14:49 . 2008-07-08 19:34 31008 ----a-w- c:\documents and settings\Тани\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2003-09-29 21:54 . 2003-09-27 16:06 56 --sh--r- c:\windows\system32\D5F6B3A3EC.sys

2007-11-20 12:00 . 2003-09-27 16:06 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-10 155648]

"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\

Adobe Reader Speed Launch.lnk - d:\program files\Sony Ericsson1\Reader\reader_sl.exe [2004-12-14 29696]

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-10-24 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"d:\\Program Files\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29.1.2008 г. 18:29 33808]

R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [26.9.2003 г. 20:29 151476]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30.4.2008 г. 18:06 24592]

S3 Mdtbiubans;Mdtbiubans; [x]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.abv.bg/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://my.contact.bg/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: Е&кспортирай в Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {5370039F-9C5A-4CCD-9662-51E52C2B6A6F} = 208.67.222.222,208.67.220.220

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Тани\Application Data\Mozilla\Firefox\Profiles\o5l5qxmj.default\

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: d:\program files\Sony Ericsson1\Reader\browser\nppdf32.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Internet Connection Wizard Setup Tool - c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 18:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\localserver32]

@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\proxystubclsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

.

**************************************************************************

.

Completion time: 2009-10-08 19:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-08 15:59

Pre-Run: 3 074 666 496 bytes free

Post-Run: 2 986 188 800 bytes free

143

Линк към този отговор
Сподели в други сайтове

Добре сте направили!

Както сами сигурно сте забелязали, MBAM не е успял да се справи нацяло:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\~WRD0002.tmp

c:\windows\Installer\7674c.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\drivers\b5e20975.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkyqeaxwyrf

-------\Service_gasfkyqeaxwyrf

-------\Service_b5e20975

MalwareBytes' Anti-Malware е страхотна програма, но и липсва самозащита, а също така и премахването и не е невероятно. Тези неща са много важни и се работи върху тях, но се надявам, че в най-скоро време ще бъдат факт.

Сега:

Изтеглете този файл и го запазете на вашия десктоп.

RC1-4.gif

Затворете всички отворени прозорци и програми, след това вземете изтегления файл и го поставете върху ComboFix. Това ще стартира ComboFix, след което е необходимо да примете лицензното споразумение, за да продължите с инсталирането на Microsoft Recovery Console. Когато приключи ще бедете попитани дали желаете да продължите със сканирането на зловреден софтуер. Изберете Yes. Накрая, публикувайте в следващия Ви пост лога от ComboFix.

Линк към този отговор
Сподели в други сайтове

Ето новия лог

ComboFix 09-10-07.05 - Тани 10.2009 г. 18:48.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.194 [GMT 3:00]

Running from: c:\documents and settings\Тани\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\~WRD0002.tmp

c:\windows\Installer\7674c.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\drivers\b5e20975.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkyqeaxwyrf

-------\Service_gasfkyqeaxwyrf

-------\Service_b5e20975

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\Тани\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 15:54 . 2008-08-30 14:01 516128 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-10-08 15:54 . 2008-08-30 14:01 4940 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-10-08 15:54 . 2008-08-30 14:01 2562592 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-10-08 15:54 . 2008-08-30 14:01 23196 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-10-08 13:51 . 2008-08-30 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-10-07 18:47 . 2008-07-14 14:33 -------- d-----w- c:\documents and settings\Тани\Application Data\Skype

2009-10-07 18:46 . 2008-07-14 14:43 -------- d-----w- c:\documents and settings\Тани\Application Data\skypePM

2009-10-07 08:23 . 2009-01-04 08:52 -------- d-----w- c:\documents and settings\Тани\Application Data\CoreFTP

2009-09-23 18:38 . 2009-05-30 09:14 -------- d-----w- c:\documents and settings\Тани\Application Data\uTorrent

2009-09-23 15:53 . 2008-08-30 14:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-09-23 15:53 . 2008-08-30 14:02 107547 ----a-w- c:\windows\system32\drivers\klin.dat

2009-07-19 14:49 . 2008-07-08 19:34 31008 ----a-w- c:\documents and settings\Тани\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2003-09-29 21:54 . 2003-09-27 16:06 56 --sh--r- c:\windows\system32\D5F6B3A3EC.sys

2007-11-20 12:00 . 2003-09-27 16:06 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-10 155648]

"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\

Adobe Reader Speed Launch.lnk - d:\program files\Sony Ericsson1\Reader\reader_sl.exe [2004-12-14 29696]

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-10-24 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"d:\\Program Files\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29.1.2008 г. 18:29 33808]

R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [26.9.2003 г. 20:29 151476]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30.4.2008 г. 18:06 24592]

S3 Mdtbiubans;Mdtbiubans; [x]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.abv.bg/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://my.contact.bg/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: Е&кспортирай в Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {5370039F-9C5A-4CCD-9662-51E52C2B6A6F} = 208.67.222.222,208.67.220.220

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Тани\Application Data\Mozilla\Firefox\Profiles\o5l5qxmj.default\

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: d:\program files\Sony Ericsson1\Reader\browser\nppdf32.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Internet Connection Wizard Setup Tool - c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 18:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\localserver32]

@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\proxystubclsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

.

**************************************************************************

.

Completion time: 2009-10-08 19:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-08 15:59

Pre-Run: 3 074 666 496 bytes free

Post-Run: 2 986 188 800 bytes free

143

Линк към този отговор
Сподели в други сайтове

Eто новия лог, мисля, че сега е по-различен

ComboFix 09-10-07.05 - Тани 10.2009 г. 19:48.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.284 [GMT 3:00]

Running from: c:\documents and settings\Тани\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Тани\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\Тани\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 15:57 . 2008-08-30 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-10-08 15:54 . 2008-08-30 14:01 516128 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-10-08 15:54 . 2008-08-30 14:01 4940 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-10-08 15:54 . 2008-08-30 14:01 2562592 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-10-08 15:54 . 2008-08-30 14:01 23196 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-10-07 18:47 . 2008-07-14 14:33 -------- d-----w- c:\documents and settings\Тани\Application Data\Skype

2009-10-07 18:46 . 2008-07-14 14:43 -------- d-----w- c:\documents and settings\Тани\Application Data\skypePM

2009-10-07 08:23 . 2009-01-04 08:52 -------- d-----w- c:\documents and settings\Тани\Application Data\CoreFTP

2009-09-23 18:38 . 2009-05-30 09:14 -------- d-----w- c:\documents and settings\Тани\Application Data\uTorrent

2009-09-23 15:53 . 2008-08-30 14:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-09-23 15:53 . 2008-08-30 14:02 107547 ----a-w- c:\windows\system32\drivers\klin.dat

2009-07-19 14:49 . 2008-07-08 19:34 31008 ----a-w- c:\documents and settings\Тани\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2003-09-29 21:54 . 2003-09-27 16:06 56 --sh--r- c:\windows\system32\D5F6B3A3EC.sys

2007-11-20 12:00 . 2003-09-27 16:06 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-10 155648]

"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\

Adobe Reader Speed Launch.lnk - d:\program files\Sony Ericsson1\Reader\reader_sl.exe [2004-12-14 29696]

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-10-24 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"d:\\Program Files\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29.1.2008 г. 18:29 33808]

R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [26.9.2003 г. 20:29 151476]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30.4.2008 г. 18:06 24592]

S3 Mdtbiubans;Mdtbiubans; [x]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.abv.bg/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://my.contact.bg/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Е&кспортирай в Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {5370039F-9C5A-4CCD-9662-51E52C2B6A6F} = 208.67.222.222,208.67.220.220

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Тани\Application Data\Mozilla\Firefox\Profiles\o5l5qxmj.default\

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: d:\program files\Sony Ericsson1\Reader\browser\nppdf32.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 19:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\localserver32]

@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\proxystubclsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2009-10-08 19:54

ComboFix-quarantined-files.txt 2009-10-08 16:54

ComboFix2.txt 2009-10-08 16:26

ComboFix3.txt 2009-10-08 16:00

Pre-Run: 3 055 206 400 bytes free

Post-Run: 3 043 237 888 bytes free

118

Линк към този отговор
Сподели в други сайтове

Браво! Сега вече се е получило. Благодаря за опита!

Отворете Notepad и чрез комбинацията copy/paste поставете следния текст:

Killall::


Driver::

D5F6B3A3EC

KGyGaAvL

Mdtbiubans


File::

c:\windows\system32\D5F6B3A3EC.sys

c:\windows\system32\KGyGaAvL.sys

c:\windows\system32\Mdtbiubans.sys

Запазете файла с името CFScript.txt и го поставете върху ComboFix.

CFScriptB-4.gif

След като, програмата приключи ще Ви изведе лог файла. Отново чрез комбинацията от Copy/Paste поставете информацията тук.

Линк към този отговор
Сподели в други сайтове

Готово

ComboFix 09-10-07.05 - Тани 10.2009 г. 20:09.4.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.274 [GMT 3:00]

Running from: c:\documents and settings\Тани\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Тани\Desktop\CFScript.txt

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::

"c:\windows\system32\D5F6B3A3EC.sys"

"c:\windows\system32\KGyGaAvL.sys"

"c:\windows\system32\Mdtbiubans.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\D5F6B3A3EC.sys

c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_Mdtbiubans

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\Тани\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-07 19:31 . 2009-10-07 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-07 19:31 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 17:14 . 2008-08-30 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-10-08 17:12 . 2008-08-30 14:01 516128 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-10-08 17:12 . 2008-08-30 14:01 4940 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-10-08 17:12 . 2008-08-30 14:01 2562592 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-10-08 17:12 . 2008-08-30 14:01 23196 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-10-07 18:47 . 2008-07-14 14:33 -------- d-----w- c:\documents and settings\Тани\Application Data\Skype

2009-10-07 18:46 . 2008-07-14 14:43 -------- d-----w- c:\documents and settings\Тани\Application Data\skypePM

2009-10-07 08:23 . 2009-01-04 08:52 -------- d-----w- c:\documents and settings\Тани\Application Data\CoreFTP

2009-09-23 18:38 . 2009-05-30 09:14 -------- d-----w- c:\documents and settings\Тани\Application Data\uTorrent

2009-09-23 15:53 . 2008-08-30 14:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-09-23 15:53 . 2008-08-30 14:02 107547 ----a-w- c:\windows\system32\drivers\klin.dat

2009-07-19 14:49 . 2008-07-08 19:34 31008 ----a-w- c:\documents and settings\Тани\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-10 155648]

"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\

Adobe Reader Speed Launch.lnk - d:\program files\Sony Ericsson1\Reader\reader_sl.exe [2004-12-14 29696]

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-10-24 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"d:\\Program Files\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29.1.2008 г. 18:29 33808]

R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [26.9.2003 г. 20:29 151476]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30.4.2008 г. 18:06 24592]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.abv.bg/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://my.contact.bg/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: Е&кспортирай в Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {5370039F-9C5A-4CCD-9662-51E52C2B6A6F} = 208.67.222.222,208.67.220.220

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Тани\Application Data\Mozilla\Firefox\Profiles\o5l5qxmj.default\

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: d:\program files\Sony Ericsson1\Reader\browser\nppdf32.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 20:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\localserver32]

@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8e9a-4d4e-9ee9-17a0e48d3bbb}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\proxystubclsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1d4c8a81-b7ac-460a-8c23-98713c41d6b3}\typelib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\COMRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

.

**************************************************************************

.

Completion time: 2009-10-08 20:18 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-08 17:18

ComboFix2.txt 2009-10-08 16:54

ComboFix3.txt 2009-10-08 16:26

ComboFix4.txt 2009-10-08 16:00

Pre-Run: 3 052 081 152 bytes free

Post-Run: 2 969 792 512 bytes free

144

Линк към този отговор
Сподели в други сайтове

Архивирайте папката Qoobox, която се намира в C:\ и я качете в www.rapidshare.com . Накрая публикувайте линк за изтегляне. Освен това, опишете как е състоянието на вашата система сега.

Линк към този отговор
Сподели в други сайтове

Стъпка 1:

Деинсталирайте ComboFix и всички резервни копия на файлове, които той премахва:

  • * Кликнете върху бутона Start и изберете Run
    * Въведете ComboFix /u в полето и изберете OK

914250f.jpg

Бележка: Забележете, че има разстояние между ComboFix и /u, което задължително трябва да има.

Тази процедура ще:

Изтрие следното:

  • ComboFix и всички свързани с нея файлове и папки.
  • Backup на VundoFix (ако съществува).
  • Папката Deckard (ако съществува).
  • Папката _OtMoveIt (ако съществува).

  • Нулира настройките на часовника.

  • Скрива файлови разширения, ако е необходимо.

  • Скрива системни файлове, ако е необходимо.

  • Нулира
    System Restore
    .


Стъпка 2:

Изтеглете Security Check от screen317 от тук или тук и го запаметете на вашия десктоп.

  • Кликнете два пъти върху SecurityCheck.exe и следвайте инструкциите.
  • Накрая, автоматично ще се отвори текстов документ, наречен checkup.txt, моля поставете съдържанието му в следващия Ви коментар в тази тема.

Стъпка 3:

1) Изтеглете: ESET Online Scanner

2) Стартирайте esetsmartinstaller_enu.exe

3) Сложете отметка на YES, I accept the Terms of Use и изберете Start

4) Скенерът ще започне да изтегля компонентите, които са му необходими.

5) Уверете се, че има отметки на следните редове, включително и тези от менюто Advanced Settings:


  • Remove found threats
  • Scan archives
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

И накрая изберете Start

6) Скенерът ще започне да изтегля последните дефиниции.

7) След, като сканирането завърши изберете Finish.

8) Отидете в:

C:\Program Files\ESET\ESET Online Scanner

Отворете файла log.txt , копирайте съдържанието му и го поставете в следващия си пост тук.

Линк към този отговор
Сподели в други сайтове

Когато се опитах да архивирам папката, Kaspersky се задейства и ме предупреди за троянец. След това го изключих и архивирах папката. Иначе други някакви проблеми засега не забелязвам в системата ми.

Линк към този отговор
Сподели в други сайтове

Това е добре, че се е задействал, макар че е малко късно да го прави. Папката, която ми изпратихте съдържа добре защитен зловреден софтуер, който вече премахнахме. С деинсталирането на ComboFix ще бъде изтрита и тази папка.

Благодаря!

Линк към този отговор
Сподели в други сайтове

Ето лога от стъпка 2

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Kaspersky Anti-Virus 2009

Kaspersky Anti-Virus 2009

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

Adobe Flash Player 10

Adobe Reader 7.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Да разбирам ли, че троянецът е премахнат и проблемът е решен? Да публикувам ли и лога от стъпка 3?

Линк към този отговор
Сподели в други сайтове

Няма проблем! Не забравяйте, че и утре е ден. Ако сте на работа/училище, не е нужно да се тормозите тази вечер. Аз следя темата, поел съм Ви все пак, така че имайте го в предвид.

Линк към този отговор
Сподели в други сайтове

В момента сканирането е на 72 %. Ще изчакам да свърши и ще пусна лога, но ако след това има още доста работа предлагам да продължим утре.

Линк към този отговор
Сподели в други сайтове

Добавете отговор

Можете да публикувате отговор сега и да се регистрирате по-късно. Ако имате регистрация, влезте в профила си за да публикувате от него.
Бележка: Вашата публикация изисква одобрение от модератор, преди да стане видима за всички.

Гост
Напишете отговор в тази тема...

×   Вмъкнахте текст, който съдържа форматиране.   Премахни форматирането на текста

  Разрешени са само 75 емотикони.

×   Съдържанието от линка беше вградено автоматично.   Премахни съдържанието и покажи само линк

×   Съдържанието, което сте написали преди беше възстановено..   Изтрий всичко

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Добави ново...

Информация

Поставихме бисквитки на устройството ви за най-добро потребителско изживяване. Можете да промените настройките си за бисквитки, или в противен случай приемаме, че сте съгласни с нашите Условия за ползване