Откраднаха ми паролите на различни акаунти явно съм хванал някакъв keylogger и затова сканирах и ето какво откри Malwarebytes Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 9/1/2010 21:34:43 mbam-log-2010-09-01 (21-34-43).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 212550 Time elapsed: 43 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9b71d88c-c598-4935-c5d1-43aa4db90836} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{9b71d88c-c598-4935-c5d1-43aa4db90836} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\bifrost (Bifrose.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\bifrost (Bifrose.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\Insaneboy\Local Settings\Temp\dialup.exe (Hacktool.Dialupass) -> Quarantined and deleted successfully. C:\Downloads\BS Player Pro v2.12.942 Pro + Keygen\keygen.exe (Trojan.Hacktool) -> Quarantined and deleted successfully. D:\_keygen.exe (Trojan.Hacktool) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{723BEF07-1DD3-4BCD-9419-1FE217220B70}\RP8\A0003395.exe (Trojan.Hacktool) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{723BEF07-1DD3-4BCD-9419-1FE217220B70}\RP8\A0003492.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{723BEF07-1DD3-4BCD-9419-1FE217220B70}\RP8\A0003564.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{723BEF07-1DD3-4BCD-9419-1FE217220B70}\RP8\A0003667.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{723BEF07-1DD3-4BCD-9419-1FE217220B70}\RP9\A0006681.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{D682BD76-7865-43B5-8749-455022232663}\RP30\A0017246.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully. D:\System Volume Information\_restore{FDE151D0-8751-41AA-B48F-657273DCE79F}\RP31\A0012060.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\Desktop\New Folder (5)\YaMH-2 UPDATED\YaMH.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Bifrost\klog.dat (Backdoor.Bifrose) -> Quarantined and deleted successfully. C:\Documents and Settings\Insaneboy\Local Settings\Temp\mspass.exe (HackTool.Agent) -> Quarantined and deleted successfully. Показва Trojan.HackTool това ли е било, това ли ми е откраднало паролите :?

Редактирано 2 септември 201015 г. от nologo (преглед на промените)

Добър вечер. Имам въпрос. Може ли да обясните какво е това:

C:\Downloads\BS Player Pro v2.12.942 Pro + Keygen\keygen.exe (Trojan.Hacktool) -> Quarantined and deleted successfully.

Backdoor.Bifrost is a disturbing backdoor trojan that can steal confidential data and harm pc files!

Да значи това ми ги е откраднало, но кажете с какво да сканирам друго за да се уверя че всичко е изчистено, Malwarebytes не открива вече нищо

1. Не ми отговорихте на въпроса.

2. Не направихте стъпка 4 от тази тема.

Как да ви помогнем?

Извинявам се 1. Ами по принцип това трябва да е кейген за bs player досега не го е намирало като вирус 2. Изпълних стъпка 4 DDS.txt Attach.txt

Хм, дърпаме нелегален софт и после се чудим какво става...

Следва:

Стъпка 1

Следвайте следната инструкция за работа с Security Check:

• Изтеглете Security Check (автор: screen317) от тук или от тук и го запишете на десктопа.
• Кликнете два пъти върху SecurityCheck.exe и следвайте инструкциите.
• Когато програмата завърши работата си, ще се отвори един текстов документ: checkup.txt.
• Копирайте съдържанието с Копирай (Copy) на checkup.txt и с Постави (Paste) го поставете в следващия си коментар.

Стъпка 2

Изтрийте точките за възстановяване на системата:

Това става с изключване на System Restore: Start -> десен клик на My Computer -> Properties -> в System Properties клик на System Restore и маркиране на Turn off System Restore on all drives, после ОК. След това следва включване на System Restore.

Стъпка 3

• Стартирайте отново Malwarebytes' Anti-Malware и направете обновяване (Update) до последната версия на дефинижиите. Изберете бързо сканиране (Perform Quick Scan), след това кликнете на Scan.
• Сканирането ще отнеме малко време, затова моля бъдете търпеливи.
• Когато сканирането завърши, кликнете на OK, след това Show Results, за да видите резултата.
• Уверете се, че на всички редове има отметки, и кликнете Remove Selected.
• Когато всичко бъде премахнато, логът ще бъде отворен в Notepad. Копирайте лога и го публикувайте в следващия си коментар в темата.

Забележка: Ако MalwareBytes' Anti-Malware се затрудни в премахването на откритите вируси/заплахи, той ще поиска да рестартира компютъра и по време на рестартирането да премахне проблемните вируси/заплахи. Ако бъдете попитани, потвърдете че желаете вашия компютър да бъде рестартиран.

checkup.txt

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET NOD32 Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Adobe Flash Player 10.1.82.76

Adobe Reader 9.3 - Bulgarian

Mozilla Firefox (3.5.11) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

````````````````````````````````

DNS Vulnerability Check:

POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)

``````````End of Log````````````

---------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4525

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

9/1/2010 23:22:37

mbam-log-2010-09-01 (23-22-37).txt

Scan type: Quick scan

Objects scanned: 126330

Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Insaneboy\Application Data\chrtmp (Malware.Trace) -> Quarantined and deleted successfully.

mbam-log-2010-09-01 (23-22-37).txt

Редактирано 1 септември 201015 г. от rock n roll (преглед на промените)

Добре. Ще трябва да се направят още малко проверки:

Стъпка 1

Следвайте следната инструкция за работа с GMER:

• Изтеглете този файл и го разархивирайте на десктопа.
• Временно спрете Интернет и всички работещи програми, както и антивирусната си програма (ако има такава).
• Преименувайте GMER.exe на Tool.exe и го стартирайте.

  Забележки:

  1. Сканирането може да доведе до грешки, затова не предприемайте никакви действия върху редовете маркирани с "<--- ROOKIT" без да имате инструкция за това.

  2. Ако GMER не се стартира или не работи коректно, не предприемайте повторен опит за стартиране. Moже да пробвате и в Safe Mode, но само веднъж.

• Ако бъде открит Rootkit, ще последва въпрос дали желаете пълно сканиране на системата. Изберете NO.
• В десния панел на програмата ще видите какво е проверено, но не променяйте нищо. Убедете се, че на Show All няма отметка.
• Маркирайте всички устройства: C:, D: и пр.
• Натиснете бутона Scan и изчакайте програмата да завърши сканирането.
• Когато завърши сканирането, натиснете бутона Save и запишете (save as) резултатите на десктопа с име: Results.log
• Вече можете да включите Интернет.
• Прикачете в следващия си коментар (погледнете опцията "прикачени файлове", когато публикувате мнение) лога на GMER - Results.log.

Стъпка 2

Следвайте следната инструкция за работа с OTL:

• Изтеглете OTL.exe и го запазете на десктопа.
• Стартирайте файла с двукратен клик на мишката.
• Направете следните настройки:

• Под "Custom Scans/Fixes" с Copy/ Paste въведете изцяло следната информация от цитата по-долу (без думата Цитат):

netsvcs

msconfig

safebootminimal

safebootnetwork

activex

drivers32

%SYSTEMDRIVE%\*.exe

%systemroot%\*. /mp /s

%ALLUSERSPROFILE%\Application Data\*.

%ALLUSERSPROFILE%\Application Data\*.exe /s

%APPDATA%\*.

%APPDATA%\*.exe /s

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

beep.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

ahcix86s.sys

KR10N.sys

nvstor32.sys

nvrd32.sys

explorer.exe

svchost.exe

userinit.exe

symmpi.sys

qmgr.dll

ws2_32.dll

proquota.exe

imm32.dll

kernel32.dll

ndis.sys

autochk.exe

spoolsv.exe

xmlprov.dll

ntmssvc.dll

mswsock.dll

ntfs.sys

tcpip.sys

termsrv.dll

sfcfiles.dll

st3shark.sys

srsvc.dll

adp3132.sys

mv61xx.sys

/md5stop

CREATERESTOREPOINT

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\System32\config\*.sav

%systemroot%\system32\drivers\*.sys /90

• Натиснете маркираният в синьо бутон: .
• Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt.
• Прикачете в следващия си коментар (погледнете опцията "прикачени файлове", когато публикувате мнение) логовете от OTL: OTL.Txt, Extras.Txt.

С GMER не можах да запиша лога понеже компютъра ми заби след сканирането просто не искаше да го сейфа, чаках 1 час сега сканира с OTL EDIT: ето OTL.Txt Extras.Txt Кажи дали съм се отървал от гадния кейлогър да знам дали пак да сменям паролите понеже преди да сканирам ги бях сменил но ако е имало още ккейлогъра възможно ли е пак да ми ги открие онзи

Редактирано 2 септември 201015 г. от rock n roll (преглед на промените)

Ето какво следва:

Стъпка 1

Стартирайте пак OTL.exe и с Copy/ Paste под колонката Custom Scans/Fixes въведете скриптовия текст от цитата по-долу, като не забравяте да копирате скрипта 1 към 1 (без думата Цитат), както и двете точки преди първия ред на скрипта.

:OTL

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found

DRV - (GMSIPCI) -- E:\INSTALL\GMSIPCI.SYS File not found

DRV - (cpuz132) -- C:\DOCUME~1\INSANE~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found

O4 - HKLM..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe File not found

O4 - HKU\S-1-5-21-1390067357-343818398-682003330-1003..\Run: [Form1] C:\Documents and Settings\Insaneboy\My Documents\??????????\SEnuke Cracked by SUDOCHOP.exe File not found

:Files

recycler /alldrives

ipconfig /flushdns /c

:Commands

[purity]

[clearallrestorepoints]

[emptytemp]

[emptyflash]

[Reboot]

След като въведете скрипта от цитата по-горе натиснете бутона, маркиран в червено:

Ще се създаде лог файл. Копирайте и поставете този файл в следващия си коментар.

Стъпка 2

След като завършите с OTL, направете отново бързо сканиране с MBAM (виж стъпка 3 от този коментар) и публикувайте лог.

P.S. Изчакайте да свършим с почистването. Можете да си смените паролите когато пожелаете.

Ето OTL лога:

All processes killed

========== OTL ==========

Service HidServ stopped successfully!

Service HidServ deleted successfully!

File C:\WINDOWS\System32\hidserv.dll File not found not found.

Service GMSIPCI stopped successfully!

Service GMSIPCI deleted successfully!

File E:\INSTALL\GMSIPCI.SYS File not found not found.

Service cpuz132 stopped successfully!

Service cpuz132 deleted successfully!

File C:\DOCUME~1\INSANE~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DrvIcon deleted successfully.

Registry value HKEY_USERS\S-1-5-21-1390067357-343818398-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Form1 deleted successfully.

========== FILES ==========

C:\RECYCLER\S-1-5-21-1390067357-343818398-682003330-1003 folder moved successfully.

C:\RECYCLER folder moved successfully.

D:\RECYCLER\S-1-5-21-842925246-746137067-682003330-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\WINDOWS\INF folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\WINDOWS folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\SETUP folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE\OFFICE11\1033 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE\OFFICE11 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\1033 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users\90000409-6000-11D3-8CFE-0150048383C9 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2\All Users folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd2 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003\Dd1 folder moved successfully.

D:\RECYCLER\S-1-5-21-839522115-823518204-1417001333-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-790525478-1085031214-1801674531-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-6549437938-1354571627-171713836-2836 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd96 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd95 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd94 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd93 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd92 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd91 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd90 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd88 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd83 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd78 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd73 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd68 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd63 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd539 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd538 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd537 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd536 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd535 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd34 folder moved successfully.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd33 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd32 scheduled to be moved on reboot.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd190 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd189 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd188 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd185 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd182 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd181 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd178 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd177 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd174 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd173 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd17 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd16 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd15 folder moved successfully.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003 scheduled to be moved on reboot.

D:\RECYCLER\S-1-5-21-583907252-746137067-1801674531-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-507921405-1897051121-839522115-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-4159518785-2567194900-627778192-8486 folder moved successfully.

D:\RECYCLER\S-1-5-21-3490909423-1895654575-427360866-6982 folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\_SQL_DB_BACKUP folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Wings folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Weapons folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Shields folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Pants folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Misc folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Helms folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Gloves folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Boots folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images\Armors folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source\Images folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\r0yal_shop_edit_source folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MU_Launcher_Builder\MU_Launcher_Builder folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MU_Launcher_Builder folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Lang folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Skills folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Pj folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Maps folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Items\Fondo folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Items\EXE folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Items\ANC folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img\Items folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker\Img folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\MuMaker folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities\Main Editor folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\MuUtilities folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\links folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs\Server_Conn_State_Log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs\Log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs\Kundun_Event_Log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs\Kundun_Event_GM_Log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs\Kanturu_Test_Log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs\CS_PCRoom_User_Log folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver_cs folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver\SERVER_CONN_STATE_LOG folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver\KUNDUN_EVENT_LOG folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver\KUNDUN_EVENT_GM_LOG folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver\KANTURU_TEST_LOG folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\gameserver folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\db folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\data\Terrains folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\data folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1\bin folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500\Dd1 folder moved successfully.

D:\RECYCLER\S-1-5-21-343818398-583907252-682003330-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-3329330352-9821769414-737215241-4710 folder moved successfully.

D:\RECYCLER\S-1-5-21-1960408961-1547161642-839522115-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-1844237615-879983540-682003330-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-1801674531-861567501-2146743481-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-1645522239-179605362-682003330-1003\Dd1 folder moved successfully.

D:\RECYCLER\S-1-5-21-1645522239-179605362-682003330-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-1454471165-573735546-1801674531-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-1390067357-343818398-682003330-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-1093534025-0426584408-017702133-6796 folder moved successfully.

D:\RECYCLER\S-1-5-21-0827736008-0260907402-658420380-4226 folder moved successfully.

Folder move failed. D:\RECYCLER scheduled to be moved on reboot.

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Insaneboy\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Insaneboy\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

Restore points cleared and new OTL Restore Point set!

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Insaneboy

->Temp folder emptied: 365959613 bytes

->Temporary Internet Files folder emptied: 9956032 bytes

->Java cache emptied: 123232 bytes

->FireFox cache emptied: 48677753 bytes

->Google Chrome cache emptied: 33203647 bytes

->Opera cache emptied: 5727860 bytes

->Flash cache emptied: 12593022 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2402044 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 8007741 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 464.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: Insaneboy

->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.11.0 log created on 09022010_102251

Files\Folders moved on Reboot...

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd33 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd32 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd33 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd32 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd33 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003\Dd32 scheduled to be moved on reboot.

Folder move failed. D:\RECYCLER\S-1-5-21-606747145-1292428093-1801674531-1003 scheduled to be moved on reboot.

D:\RECYCLER\S-1-5-21-1390067357-343818398-682003330-1003 folder moved successfully.

Folder move failed. D:\RECYCLER scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Извинявам се, но не иска да го качи като файл.

И ето и Malwarebytes лога:

mbam-log-2010-09-02 (10-30-24).txt

Редактирано 2 септември 201015 г. от rock n roll (преглед на промените)

Добре, сега следва още една проверка, за да бъдем по-сигурни дали има някакви остатъци:

Следвайте следната инструкция за проверка с F-Secure Online Scanner:

• Изтеглете го от тук и стартирайте програмата с английски интерфейс (English). За сканиране изберете Start Scanning. Ако получите съобщение да инсталирате ActiveX се съгласете и го инсталирайте. След това натиснете ОК, зa да се съгласите с лицензионните права и за да започне сканиране.
• Маркирайте пълно сканиране (Full System Scan), изчакайте обновяването на дефинициите и завършването на сканирането.
• След като сканирането завърши, изберете Automatic cleaning (recommended) и изчакайте.
• Най-накрая натиснете Show report. Копирайте (Copy) и поставете (Paste) резултатите от сканирането в следващия си коментар.

Scanning Report

Thursday, September 2, 2010 11:08:37 - 11:16:50

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

No malware found

Statistics

Scanned:

* Files: 26824

* System: 3009

* Not scanned: 11

Actions:

* Disinfected: 0

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

* C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

* C:\DOCUMENTS AND SETTINGS\INSANEBOY\LOCAL SETTINGS\TEMP\HSPERFDATA_INSANEBOY\2472

* C:\DOCUMENTS AND SETTINGS\INSANEBOY\LOCAL SETTINGS\TEMP\HSPERFDATA_INSANEBOY\3536

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

това ли е репорта, натиснах Full Report... и се появи в браузера това, друг лог няма

С нещо друго ще сканираме ли

Редактирано 2 септември 201015 г. от rock n roll (преглед на промените)

Последно: Start -> Run -> пишеш cmd и въведи с Copy/Paste текста, маркиран в синьо:

tasklist /svc /fi "imagename eq svchost.exe" >> C:\log.txt

натисни ENTER. Пусни съдържанието на C:\log.txt в следващия си коментар.

Ето, ако има още нещо, проверки и тн. казвай, искам да съм 100% сигурен че ПС-то е изчистено. log.txt

Редактирано 2 септември 201015 г. от rock n roll (преглед на промените)

Сега има ли някакви оплаквания от Windows?

Не, няма. Просто един ми беше откраднал паролите с keylogger но го намерих и го убедих да ми ги върне. Всичко е наред, просто искам да знам, че няма да може да ми ги открадне пак и че keylogger-а е изчистен.

Добре. Windows изглежда чист.

Сега:

Следвайте следната инструкция за деинсталиране на OTL:

Стартирайте OTL.exe още веднъж и натиснете бутона CleanUp!

При дeинсталацията на OTL ще бъдат почистени инструменти и файлове, които използвахме в темата. Ще последва рестарт на Windows. Останалите файлове, програми и логове може да почистите ръчно. Оставете си MBAM и сканирайте от време на време.

Сега маркирам проблема като приключен и добавям [РЕШЕН] в заглавието на темата.

Успех!

Благодаря за отделеното време!

И аз благодаря за вниманието. Справи се много добре със скриптовите инструменти и инструкциите. Приятна вечер.