Странен файл

10 декември 201015 г.

Здравейте от няколко дни Nod-а ме предупреждава за опасни сайтове. До днес мислех че аз съм виновен но днес я оставих да сканира и след това прегледах Detected Threats log files и забелязах че файл от system32 се свързва със сайта. Името на файла е mshta.exe и се намира в C:\WINDOWS\system32 опитах се да го изтрия но се оказа че е процес, спрях до и го изтрих... но след 10 сек дой се възтанови и пак се свърза със сайта и Nod-а пак почна да пищи. Изтрих го пак и пак и пак и пак но той все се връщаше. Някакви идей :ph34r:

Цитирай

10 декември 201015 г.

............

Някакви идей

Ако желаете, пишете в този раздел. Прочетете правилата му. След като изпълните стъпки 3 и 4 от тук, отворете нова тема и публикувайте логовете на MBAM и DDS. Успех!

Ако не желаете, няма проблем. Най-вероятно ще стане манджа с грозде, подобно на тази тема.

Цитирай

2

10 декември 201015 г.

Virut!

Но все пак да изпълни препоръките на колегата Nologo за да се уверим на 100% ,може и да греша,а дано!

Темата се мести в подфорума!

Цитирай

1

10 декември 201015 г.

...........
Темата се мести в подфорума!

О.К. В такъв случай очакваме логовете на Malwarebytes' Anti-Malware (MBAM) и DDS.

Цитирай

1

11 декември 201015 г.

Автор

О.К. В такъв случай очакваме логовете на Malwarebytes' Anti-Malware (MBAM) и DDS.

Ето логовете:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5293

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11.12.2010 г. 13:46:27

mbam-log-2010-12-11 (13-46-27).txt

Scan type: Full scan (C:\|E:\|)

Objects scanned: 349357

Time elapsed: 1 hour(s), 3 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{4b8b444d-14e2-410c-bd3f-5b2c12aafafc}\RP661\A0194979.dll (Malware.Packer) -> Quarantined and deleted successfully.

e:\system volume information\_restore{4b8b444d-14e2-410c-bd3f-5b2c12aafafc}\RP638\A0184372.dll (Malware.Packer) -> Quarantined and deleted successfully.

e:\system volume information\_restore{4b8b444d-14e2-410c-bd3f-5b2c12aafafc}\RP638\A0184388.exe (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.

e:\system volume information\_restore{4b8b444d-14e2-410c-bd3f-5b2c12aafafc}\RP640\A0184573.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

e:\system volume information\_restore{4b8b444d-14e2-410c-bd3f-5b2c12aafafc}\RP654\A0188231.exe (Trojan.Meredrop) -> Quarantined and deleted successfully.

DDS:

Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 29.11.2009 г. 08:24:33

System Uptime: 11.12.2010 г. 12:25:43 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5KPL-AM IN/ROEM/SI

Processor: Intel Pentium III Xeon processor | Socket 775 | 2600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 49 GiB total, 30,848 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 417 GiB total, 273,43 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP618: 30.11.2010 г. 14:52:07 - Before uninstall FlexType 2K

RP619: 01.12.2010 г. 19:27:54 - Before uninstall Norton Security Scan

RP620: 02.12.2010 г. 15:50:57 - Before uninstall Web Page Maker V3.21

RP621: 03.12.2010 г. 16:44:14 - System Checkpoint

RP622: 04.12.2010 г. 16:49:33 - Before uninstalling Hero Editor V0.96

RP623: 04.12.2010 г. 16:50:10 - Before uninstalling Unlocker 1.9.0

RP624: 04.12.2010 г. 16:53:44 - Before uninstalling avast! Pro Antivirus

RP625: 04.12.2010 г. 16:53:54 - avast! Pro Antivirus Setup

RP626: 04.12.2010 г. 17:00:04 - Before uninstalling Malwarebytes' Anti-Malware

RP627: 04.12.2010 г. 17:02:32 - Before uninstalling iolo technologies' System Mechanic

RP628: 04.12.2010 г. 17:04:24 - Before uninstalling Winamp

RP629: 04.12.2010 г. 17:08:13 - avast! Free Antivirus Setup

RP630: 04.12.2010 г. 17:15:37 - Before uninstalling avast! Free Antivirus

RP631: 04.12.2010 г. 17:15:50 - avast! Pro Antivirus Setup

RP632: 04.12.2010 г. 17:27:16 - avast! Pro Antivirus Setup

RP633: 04.12.2010 г. 17:59:20 - Before uninstalling CPUID HWMonitor 1.16

RP634: 04.12.2010 г. 22:01:06 - Установлен Яндекс.Бар 5.0 для Internet Explorer

RP635: 04.12.2010 г. 22:41:40 - Installed Splash PRO

RP636: 04.12.2010 г. 22:45:03 - Installed Splash PRO

RP637: 04.12.2010 г. 22:57:55 - Before uninstalling Product Key Explorer 2.4.8

RP638: 05.12.2010 г. 16:39:44 - Before uninstalling Guitar Pro 6

RP639: 06.12.2010 г. 11:54:35 - Removed Splash PRO

RP640: 06.12.2010 г. 11:55:13 - Installed Splash PRO

RP641: 06.12.2010 г. 17:44:53 - Before uninstalling Euro Truck Simulator v1.3

RP642: 06.12.2010 г. 17:48:12 - Before uninstalling Euro Truck Simulator 1.00

RP643: 06.12.2010 г. 18:11:49 - Before uninstalling German Truck Simulator 1.04

RP644: 06.12.2010 г. 18:48:26 - Before uninstalling BlazeDTV 6.0

RP645: 06.12.2010 г. 20:06:37 - Before uninstalling avast! Pro Antivirus

RP646: 06.12.2010 г. 20:06:45 - avast! Pro Antivirus Setup

RP647: 06.12.2010 г. 21:26:55 - Removed Java 6 Update 17

RP648: 06.12.2010 г. 21:27:05 - Installed Java 6 Update 22

RP649: 10.12.2010 г. 15:30:22 - Installed ESET Smart Security

RP650: 07.12.2010 г. 17:22:01 - Before uninstalling Web Page Maker V3.21

RP651: 07.12.2010 г. 17:24:24 - Before uninstalling Front Mission Evolved

RP652: 07.12.2010 г. 17:35:54 - Before uninstalling The Chronicles of Riddick - Assault on Dark Athena

RP653: 07.12.2010 г. 17:36:02 - Removed The Chronicles of Riddick - Assault on Dark Athena

RP654: 07.12.2010 г. 17:37:35 - Before uninstalling Max Payne 2

RP655: 07.12.2010 г. 20:50:17 - Before uninstalling Break Time

RP656: 07.12.2010 г. 20:59:00 - Before uninstalling Break Time

RP657: 08.12.2010 г. 16:50:09 - Before uninstalling Euro Truck Simulator v1.3

RP658: 08.12.2010 г. 16:51:04 - Before uninstalling Euro Truck Simulator

RP659: 08.12.2010 г. 16:52:47 - Before uninstalling RocketDock 1.3.5

RP660: 08.12.2010 г. 16:53:39 - Before uninstalling Virtual DJ Pro Full - Atomix Productions

RP661: 09.12.2010 г. 16:18:16 - Before uninstalling AVG Anti-Spyware 7.5

RP662: 10.12.2010 г. 17:06:55 - Revo Uninstaller Pro's restore point - Avira AntiVir Personal - Free Antivirus

RP663: 10.12.2010 г. 17:08:26 - Revo Uninstaller Pro's restore point - Immunet Protect

RP664: 10.12.2010 г. 17:10:36 - Revo Uninstaller Pro's restore point - Your Uninstaller! 2010

RP665: 10.12.2010 г. 17:16:20 - Revo Uninstaller Pro's restore point - ESET Smart Security

RP666: 10.12.2010 г. 17:37:04 - Installed ESET Smart Security

RP667: 10.12.2010 г. 17:52:37 - Installed ESET Smart Security

RP668: 10.12.2010 г. 18:01:13 - Revo Uninstaller Pro's restore point - FIFA 11

RP669: 10.12.2010 г. 18:37:59 - Installed ESET Smart Security

==== Installed Programs ======================

Activision®

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color - Photoshop Specific

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Default Language CS3

Adobe Device Central CS3

Adobe ExtendScript Toolkit 2

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Fonts All

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Photoshop CS3

Adobe Reader 7.0

Adobe Setup

Adobe Shockwave Player 11.5

Adobe Stock Photos CS3

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS3

Apple Application Support

Apple Software Update

Assassin's Creed

ATI - Software Uninstall Utility

ATI AVIVO Codecs

ATI Catalyst Control Center

ATI Display Driver

ATI Problem Report Wizard

Blur

BS.Player PRO

Call of Duty® - World at War

Camtasia Studio 7

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center HydraVision Full

Catalyst Control Center Localization All

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CCleaner

CheMax 11.6

ClassicPro© v1.15

CPUID HWMonitor 1.17

DiRT

EAX4 Unified Redist

ESET Smart Security

FIFA 11

FlashGet 1.9.6.1073

FlexType 2K

Fraps (remove only)

FUEL

Google Update Helper

GTA San Andreas

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB976002-v5)

ImagXpress

Java Auto Updater

Java 6 Update 22

Landwirtschafts Simulator 2011

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.7

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox (3.6.13)

MSVC80_x86_v2

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB925673)

Need for Speed Underground 2

Need for Speed Hot Pursuit

Need for Speed™ Most Wanted

Need for Speed™ Undercover

Nero OEM

neroxml

Night_Raven Codec Pack

NVIDIA PhysX

OpenAL

P2PFilter 3.0.5

PC Camera

PC Connectivity Solution

PDF Settings

Platform

Prototype

QuickTime

REALTEK GbE & FE Ethernet PCI-E NIC Driver

RESIDENT EVIL 5

Revo Uninstaller Pro 2.4.1

runtime

SA Dictionary 2010 Beta 1

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Skype™ 4.2

Snagit 9.1.3

Splash PRO

System Requirements Lab CYRI

Test Drive Unlimited GOLD 1.66A Rus

Unity Web Player

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB898461)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973815)

Vegas Pro 9.0

viDrop

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WebFldrs XP

WebTrance3.0 (ґµёЅст°»ёр°Ѕµ)

Winamp

Winamp Detector Plug-in

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Presentation Foundation

WinRAR archiver

XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415 AFD AsIO ehdrv epfwtdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

11.12.2010 і. 12:37:42, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 23:07:08, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 23:06:57, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 23:05:46, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 21:07:23, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 20:35:32, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 20:35:03, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 20:33:50, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 20:32:28, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 20:32:23, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\mshta.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

10.12.2010 і. 18:04:34, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ehdrv epfwtdi

10.12.2010 і. 18:04:34, error: Service Control Manager [7000] - The ESET Service service failed to start due to the following error: The system cannot find the file specified.

10.12.2010 і. 18:04:34, error: Service Control Manager [7000] - The epfw service failed to start due to the following error: The system cannot find the file specified.

10.12.2010 і. 18:00:38, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.

10.12.2010 і. 18:00:38, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.

10.12.2010 і. 17:56:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10.12.2010 і. 17:55:18, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:

10.12.2010 і. 17:55:18, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:55:18, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:55:18, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:55:18, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:55:00, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

10.12.2010 і. 17:54:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10.12.2010 і. 17:49:59, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:

10.12.2010 і. 17:49:59, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:49:59, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:49:59, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:49:59, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10.12.2010 і. 17:49:17, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10.12.2010 і. 15:29:51, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.

10.12.2010 і. 15:29:48, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.

10.12.2010 і. 15:29:47, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.

09.12.2010 і. 19:03:20, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

08.12.2010 і. 19:57:08, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\normalcolor\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:57:07, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\luna.msstyles. This file was restored to the original version to maintain system stability. The file version of the system file is 1.0.0.1.

08.12.2010 і. 19:57:00, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\homestead\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:56:54, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\metallic\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:56:54, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\homestead\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:56:53, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\normalcolor\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:56:45, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\normalcolor\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:56:45, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\luna.msstyles. This file was restored to the original version to maintain system stability. The file version of the system file is 1.0.0.1.

08.12.2010 і. 19:52:57, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\shell\normalcolor\shellstyle.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

08.12.2010 і. 19:52:57, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\luna.msstyles. This file was restored to the original version to maintain system stability. The file version of the system file is 1.0.0.1.

08.12.2010 і. 19:43:31, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\resources\themes\luna\luna.msstyles. This file was restored to the original version to maintain system stability. The file version of the system file is 1.0.0.1.

08.12.2010 і. 18:00:15, error: ati2mtag [108] - The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.

07.12.2010 і. 17:58:12, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\pchealth\uploadlb\binaries\uploadm.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

05.12.2010 і. 16:50:28, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================

DDS

DDS (Ver_10-12-05.01) - NTFSx86

Run by YOVKO at 13:47:10,64 on 11.12.2010 Ј.

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.2047.922 [GMT 0:00]

AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe

C:\windows\system32\svchost -k DcomLaunch

svchost.exe

C:\windows\System32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\windows\system32\Ati2evxx.exe

C:\windows\system32\spoolsv.exe

C:\windows\Explorer.EXE

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\Datecs\Flex2K.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\windows\system32\PnkBstrA.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Winamp\winamp.exe

C:\windows\System32\mshta.exe

C:\Documents and Settings\YOVKO\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flextype 2k.lnk - c:\windows\datecs\Flex2K.exe

IE: &Download All with FlashGet - c:\progra~1\flashget\jc_all.htm

IE: &Download with FlashGet - c:\progra~1\flashget\jc_link.htm

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - c:\progra~1\skycode\webtra~1\wt2ie.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yovko\applic~1\mozilla\firefox\profiles\etlbcaeb.default\

FF - prefs.js: browser.startup.homepage - hxxp://clients.comtrade-bg.net/index.php

FF - plugin: c:\documents and settings\yovko\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\yovko\applic~1\mozilla\firefox\profiles\etlbcaeb.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\yovko\applic~1\mozilla\firefox\profiles\etlbcaeb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\yovko\applic~1\mozilla\firefox\profiles\etlbcaeb.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R1 6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415;6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415;c:\windows\iprot\6bd6aafb-ce29-4dbb-ad25-c59a3e0c7415\PhysMem.sys [2010-7-2 3584]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-12-4 21992]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-11-4 810144]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-4 363344]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-4 20952]

R3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-10-25 616064]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-3-8 1057024]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-25 137344]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-25 8320]

S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-11-30 42512]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-12-10 27064]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-12-11 13:46:29 54016 ----a-w- c:\windows\system32\drivers\nbjoo.sys

2010-12-10 21:16:01 -------- d-----w- c:\program files\CCleaner

2010-12-10 18:38:01 -------- d-----w- c:\program files\ESET

2010-12-10 17:59:42 -------- d-----w- c:\docume~1\yovko\applic~1\ESET

2010-12-10 17:05:45 -------- d-----w- c:\docume~1\yovko\locals~1\applic~1\VS Revo Group

2010-12-10 17:05:36 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-12-10 17:05:31 -------- d-----w- c:\program files\VS Revo Group

2010-12-10 15:32:01 -------- d-----w- c:\documents and settings\all users\Immunet

2010-12-10 15:32:01 -------- d-----w- c:\docume~1\yovko\applic~1\Immunet

2010-12-10 14:53:08 -------- d-----w- c:\windows\system32\NtmsData

2010-12-09 16:08:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Grisoft

2010-12-07 20:26:27 -------- d-----w- c:\program files\Break Time

2010-12-07 19:20:07 -------- d-----w- c:\docume~1\yovko\applic~1\DAEMON Tools Pro

2010-12-07 19:20:07 -------- d-----w- c:\docume~1\yovko\applic~1\DAEMON Tools Lite

2010-12-07 18:35:12 -------- d-----w- c:\program files\RocketDock

2010-12-07 17:53:45 -------- d-----w- c:\docume~1\yovko\applic~1\URSoft

2010-12-06 21:27:28 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-12-06 21:27:28 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-12-06 18:35:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\BlazeVideo

2010-12-06 18:35:20 14 ----a-w- c:\windows\system32\systeminfo.dll

2010-12-06 11:53:58 -------- d-----w- c:\windows\XSxS

2010-12-04 22:41:56 -------- d-----w- c:\docume~1\yovko\applic~1\Mirillis

2010-12-04 22:41:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Mirillis

2010-12-04 22:41:55 -------- d-----w- c:\docume~1\yovko\locals~1\applic~1\Mirillis

2010-12-04 22:41:41 -------- d-----w- c:\program files\Mirillis

2010-12-04 22:00:54 -------- d-----w- c:\docume~1\yovko\locals~1\applic~1\Opera

2010-12-04 22:00:43 -------- d-----w- c:\program files\CheMax

2010-12-04 18:01:09 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys

2010-12-04 17:48:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-04 17:48:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-04 17:48:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-04 17:38:18 -------- d-----w- c:\program files\Winamp Detect

2010-12-02 15:58:06 12800 ----a-w- c:\program files\mozilla firefox\plugins\npwachk.dll

2010-12-01 19:27:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec

2010-12-01 19:27:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton

2010-12-01 19:27:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

2010-12-01 13:44:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Web Page Maker

2010-11-30 14:54:20 5120 ----a-w- c:\windows\system32\vga856.fon

2010-11-30 14:54:17 7440 ----a-w- c:\windows\system32\KBDDLL.DLL

2010-11-30 14:54:17 6928 ----a-w- c:\windows\system32\kbdhebx.Dll

2010-11-30 14:54:17 6416 ----a-w- c:\windows\system32\kbdinori.Dll

2010-11-30 14:54:17 6416 ----a-w- c:\windows\system32\kbdinasa.Dll

2010-11-30 14:54:17 6416 ----a-w- c:\windows\system32\kbdbp.Dll

2010-11-30 14:54:17 6416 ----a-w- c:\windows\system32\kbdbds.Dll

2010-11-30 14:54:17 28672 ----a-w- c:\windows\system32\newdll.dll

2010-11-30 14:54:16 8992 ----a-w- c:\windows\system32\kbdbphz.dLL

2010-11-30 14:54:16 8992 ----a-w- c:\windows\system32\KBDBPH.dLL

2010-11-30 14:54:16 -------- d-----w- c:\windows\Datecs

2010-11-19 17:31:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\EA Core

2010-11-19 17:14:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Solidshield

2010-11-14 12:00:13 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-11-14 12:00:13 249856 ------w- c:\windows\Setup1.exe

==================== Find3M ====================

2010-12-06 21:27:18 472808 -c--a-w- c:\windows\system32\deployJava1.dll

2010-11-19 14:42:17 103736 -c--a-w- c:\windows\system32\PnkBstrB.exe

2010-11-11 15:03:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe

2010-10-03 21:53:35 74703 -c--a-w- c:\windows\system32\mfc45.dll

2010-09-18 12:23:26 974848 -c--a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 -c--a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 -c--a-w- c:\windows\system32\mfc40u.dll

2006-11-20 09:01:08 163840 -c--a-w- c:\program files\common files\AMCap.exe

============= FINISH: 13:52:45,25 ===============

Редактирано 11 декември 201015 г. от mustang_94 (преглед на промените)

Цитирай

11 декември 201015 г.

Съжалявам, че се забавих, бях доста зает...

Сега качете (Upload a file) на VirusTotal следния файл:

c:\windows\system32\drivers\nbjoo.sys

Копирайте (copy) адреса на файла, маркиран по-горе и отидете в текстовото поле с надпис "Разглеждане". Поставете поставете (paste) в полето File Name адреса на файла, после Open. След това на Virustotal натиснете Send File. Изчакайте да завърши сканирането и публикувайте линка с резултатите от сканирането за файла в следващия си коментар.

Направете същото и с този файл:

C:\windows\System32\mshta.exe

Цитирай

1

11 декември 201015 г.

Автор

Здравейте Няма проблем за закъснението! Аз трябва да благодаря за помощта :cool: Значи първия файл неможах да намеря. Дадох да ми покаже скритите файлове но пак го нямаше. Ето лог-а от втория файл MD5: ad8f83f16a3ce2b093b38b279b419387 Date first seen: 2009-03-23 17:46:43 (UTC) Date last seen: 2010-12-11 13:17:46 (UTC) Detection ratio: 0/43

Редактирано 11 декември 201015 г. от mustang_94 (преглед на промените)

Цитирай

11 декември 201015 г.

Следвайте следната инструкция за работа с OTL:

Изтеглете OTL.exe или OTL.scr го запазете на десктопа.
Стартирайте файла с двукратен клик на мишката.
Направете следните настройки:

Под с Copy/ Paste въведете изцяло следната текстова информация (само това, което е поставено в карето):

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90

Натиснете маркираният в синьо бутон: .
Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt. Прикачете тези два файла в следващия си коментар (погледнете опцията "прикачени файлове", когато публикувате мнение).

Цитирай

1

12 декември 201015 г.

Автор

Ето двата лога.

Extras.Txt

OTL.Txt

Цитирай

1

12 декември 201015 г.

Ето какво следва:

Стъпка 1

Стартирайте пак OTL.exe и с Copy/ Paste под колонката Custom Scans/Fixes въведете скриптовия текст от текстовото поле по-долу, като не забравяте да копирате скрипта 1 към 1, както и двете точки преди първия ред на скрипта!

:OTL
IE - HKU\S-1-5-21-1409082233-1060284298-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1060284298-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1060284298-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
[2010.12.10 18:34:01 | 000,014,739 | ---- | C] () -- C:\windows\System32\12543.js
[2009.12.09 17:01:52 | 000,003,584 | ---- | C] () -- C:\windows\System32\klipxm32.dll
@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B3D74A13
@Alternate Data Stream - 169 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:466F9D5D
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
:files
%windir%\tasks\at*.job
recycler /alldrives
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[emptyflash]
[Reboot]

След като въведете скрипта от цитата по-горе натиснете бутона, маркиран в червено: Публикувано изображение

Ще се създаде лог файл. Публикувайте съдържанието му с Copy/Paste в следващия си коментар.

Стъпка 2

Следвайте следните стъпки за работа с ComboFix:

1. Изтеглете ComboFix от следния мирър: BleepingComputer.

След изтегляне на файла го запишете (бутон Save -> Save as) ComboFix на вашия десктоп, снимка:

Публикувано изображение

След като изтеглите ComboFix на десктопа, иконката на програмата би трябвало да изглежда така:

Публикувано изображение

2. Затворете всички работещи приложения или отворени прозорци. Прекратете временно работата на антивирусната програма и на други програми за сигурност, ако има такива.

3. Стартирайте с двоен клик ComboFix.exe (ако не се стартира, преименувайте файла на slayer.exe и опитайте пак). За целта използвайте YES, за да се съгласите с условията за използване на програмата. Важно: след като се стартира ComboFix не бива да се движи мишката или да се кликва върху отворения прозорец на програмата. Просто търпеливо оставете ComboFix да си свърши работата, без да използвате компютъра за други цели.

4. ComboFix ще спре временно Интернет връзката, но след като приключи работата на програмата тази връзка ще бъде възстановена автоматично. ComboFix ще сканира за проблеми и за заразени файлове, като това може да отнеме известно време. Моля да бъдете търпеливи. Ако има проблем с Интернет връзката, моля да прочетете това: Manually restoring the Internet connection section.

5. Когато работата на ComboFix приключи, ще се появи текстов документ (log) в Notepad, виж снимката:

Публикувано изображение

Копирайте (Copy) и поставете (Paste) съдържанието на лога в следващия си коментар.

Цитирай

3

12 декември 201015 г.

Автор

Ето логовете от ComboFix и OTL

ComboFix Log.txt

OTL Log.txt

Цитирай

1

12 декември 201015 г.

Преди да продължим, имам въпрос. Имате ли някакви модификации по Windows XP, например изглед на Vista или Windows 7? Защото sfcfiles.dll е модифициран, според ComboFix, справка:

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

P.S. Направете сканиране с ESET Smart Security (ESS). След като сканирането приключи, публикувайте лога на ESS към следващия си коментар. Може да направите архив от предишни сканирания от тази седмица (ако има такива) в ZIP файл. Справка за това как става с Export (виж т.6): Where can I find copies of previous scan logs?.

Цитирай

2

12 декември 201015 г.

Автор

Преди го бях направил да прилича на Win7, но почна да работи бавно и го махнах. А за логовете на Nod нямам логове защото се беше повредила и трябваше да я преинсталирам.

Цитирай

12 декември 201015 г.

Добре. Имахте една доста неприятна гад - ThinkPoint, но е доста вероятно да има остатъци.

Затова като начало да проверим с TDSSKiller (по-подробна инструкция на английски език: TDSSKiller):

Изтеглете TDSSKiller и го разархивирайте на десктопa.
Стартирайте TDSSKiller.exe, след това Start Scan.
Ако бъде открит инфектиран (infected) файл, проверете дали е избрана опцията Cure (по подразбиране). Ако е избрана Cure - натиснете Continue, снимка:
Ако бъде открит подозрителен (suspicious) файл, проверете дали е избрана опцията Skip (по подразбиране). Ако е избрана Skip - натиснете Continue.
Възможно е програмата да изиска рестарт. Ако е така - потвърдете с Reboot Now.
-Ако няма рестартиране, отидете на Report. Ще се появи лог файл. Копирайте и поставете съдържанието му в следващия си коментар.

-Ако има рестартиране, отидете на в системната директория. Там трябва да има файл с формат: TDSSKiller.[Version]_[Date]_[Time]_log.txt. Отворете го, копирайте и поставете съдържанието му в следващия си коментар.

Забележка: За sptd.sys натиснете Skip.

Цитирай

2

12 декември 201015 г.

Автор

Само sptd.sys алармира но дадох Skip. Ето го лога. Мерси за помощта ако не беше ти щях да го дам на преинсталация :wors: :wors: :wors: :yanim:

TDSSKiller.2.4.11.0_12.12.2010_21.19.56_log.txt

Редактирано 13 декември 201015 г. от mustang_94 (преглед на промените)

Цитирай

12 декември 201015 г.

Много добре, тогава може да пуснете Hitman Pro, ето как:

Изтеглете Hitman Pro от тук (32-битов Windows)
Стартирайте Hitman Pro. След като сте стартирали програмата ще ви се появи следния прозорец:
Натиснете бутона Next:
Програмата ще започне да сканира. Времето за сканиране е около 2 минути.
След завършване на сканирането натиснете Реport scan results to XML file, снимка:
След това на работния ви плот ще се появи файл, който изглежда ето така:
Направете ZIP архив на файла и го прикачете в следващия си коментар. Може да направите снимка след завършване на работата на Hitman Pro, ако има открити зарази по Windows.