Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Версия на базата от данни: 6304 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 07.4.2011 г. 21:56:19 mbam-log-2011-04-07 (21-56-19).txt Тип сканиране: Бързо сканиране Сканирани обекти: 149260 Изминало време: 13 минута(и), 1 секунда(и) Заразени процеси в паметта: 0 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 2 Заразени информационни обекти в регистратурата: 7 Заразени папки: 0 Заразени файлове: 3 Заразени процеси в паметта: (Не бяха открити зловредни обекти) Заразени модули в паметта: (Не бяха открити зловредни обекти) Заразени ключове в регистратурата: (Не бяха открити зловредни обекти) Заразени стойности в регистратурата: HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully. Заразени информационни обекти в регистратурата: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\abc\Local Settings\Application Data\kon.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\abc\Local Settings\Application Data\kon.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\abc\Local Settings\Application Data\kon.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\abc\Local Settings\Application Data\kon.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully. Заразени папки: (Не бяха открити зловредни обекти) Заразени файлове: c:\WINDOWS\system32\czjfoc.dll (Worm.Conficker) -> Quarantined and deleted successfully. c:\documents and settings\abc\local settings\Temp\pusk.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\U92FSXEB\mwaxsqns[1].gif (Extension.Mismatch) -> Quarantined and deleted successfully. . DDS (Ver_11-03-05.01) - NTFSx86 Run by abc at 22:13:03,45 on 07.04.2011 Ј. Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.105 [GMT 3:00] . AV: ESET NOD32 antivirus system 2.70 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\FixCamera.exe C:\WINDOWS\tsnp325.exe C:\WINDOWS\vsnp325.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe -k imgsvc D:\Demon tools\DAEMON Tools Lite\daemon.exe C:\Program Files\Skype\Phone\Skype.exe D:\wallpapers\OTH Wallpapers\RocketDock\RocketDock.exe C:\WINDOWS\Datecs\Flex2K.exe C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe D:\YoWindow\yowindow.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe D:\Version5\TeamViewer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\abc\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.bg/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60002 mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60002 mWinlogon: SfcDisable=-99 (0xffffff9d) BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [DAEMON Tools Lite] "d:\demon tools\daemon tools lite\daemon.exe" -autorun uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [RocketDock] "d:\wallpapers\oth wallpapers\rocketdock\RocketDock.exe" mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [FixCamera] c:\windows\FixCamera.exe mRun: [tsnp325] c:\windows\tsnp325.exe mRun: [snp325] c:\windows\vsnp325.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [updateReminder] c:\program files\eset\UpdateReminder.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N StartupFolder: c:\docume~1\abc\startm~1\programs\startup\regist~1.lnk - d:\films\prince of percia the two thrones\support\register\RegistrationReminder.exe StartupFolder: c:\docume~1\abc\startm~1\programs\startup\ubisof~1.lnk - d:\films\rayman 3 [request] {pi4agata2}\register\schedule.exe StartupFolder: c:\docume~1\abc\startm~1\programs\startup\yowindow.lnk - d:\yowindow\yowindow.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\windows\datecs\Flex2K.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe dPolicies-explorer: ForceClassicControlPanel = 1 (0x1) IE: Add to AMV Converter... - d:\city\amvconverter\grab.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html IE: MediaManager tool grab multimedia file - d:\city\mediamanager\grab.html IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL LSP: c:\windows\system32\imon.dll DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\abc\applic~1\mozilla\firefox\profiles\6qf9t5z7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/ FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60002&qkw= FF - component: c:\documents and settings\abc\application data\mozilla\firefox\profiles\6qf9t5z7.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\winnt-32\MinimizeToTrayPlus.dll FF - plugin: c:\documents and settings\abc\local settings\application data\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Autofill Forms: [email protected] - %profile%\extensions\[email protected] FF - Ext: FastestFox: [email protected] - %profile%\extensions\[email protected] FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d} FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} FF - Ext: MinimizeToTrayPlus: {de1b245c-de57-11da-ba2d-0050c2490048} - %profile%\extensions\{de1b245c-de57-11da-ba2d-0050c2490048} FF - Ext: Destroy the Web: {7BDB48D1-CD94-4B99-A5A4-E418B9EE6532} - %profile%\extensions\{7BDB48D1-CD94-4B99-A5A4-E418B9EE6532} FF - Ext: Play drums!: [email protected] - %profile%\extensions\[email protected] FF - Ext: Xultris: {bed1bcec-57d3-47e1-a32b-b4e5f3003019} - %profile%\extensions\{bed1bcec-57d3-47e1-a32b-b4e5f3003019} FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} . ============= SERVICES / DRIVERS =============== . R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-3-29 15424] R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2010-3-29 549256] R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [2010-3-31 26624] R3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [2010-4-2 10251904] S2 fhjqgvm;Network Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336] S2 gupdate;Услуга Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-30 135664] S3 BULKUSB;SiGma Chip SG851 IO driver;c:\windows\system32\drivers\BULKUSB.sys [2010-10-3 17664] S3 GarenaPEngine;GarenaPEngine;c:\docume~1\abc\locals~1\temp\LDV8B5.tmp [2010-10-31 25616] S3 GGSAFERDriver;GGSAFER Driver;\??\d:\headoff\garena\safedrv.sys --> d:\headoff\garena\safedrv.sys [?] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] . =============== Created Last 30 ================ . 2011-04-07 18:37:42 -------- d-----w- c:\docume~1\abc\applic~1\TeamViewer 2011-04-07 18:31:41 -------- d-----w- c:\docume~1\abc\applic~1\Malwarebytes 2011-04-07 18:31:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-04-07 18:31:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-04-07 18:31:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-04-07 18:31:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-04-01 12:45:34 -------- d-----w- c:\docume~1\abc\applic~1\Unity 2011-04-01 12:40:17 -------- d-----w- c:\docume~1\abc\locals~1\applic~1\Unity 2011-03-14 21:06:17 -------- d--h--w- c:\windows\system32\GroupPolicy . ==================== Find3M ==================== . 2011-02-04 07:26:50 684544 ----a-w- c:\windows\system32\yowindow.scr . ============= FINISH: 22:14:00,82 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 29.3.2010 г. 20:09:17 System Uptime: 07.4.2011 г. 22:00:46 (0 hours ago) . Motherboard: | | SiS-748 Processor: AMD Sempron 2400+ | Socket A | 1659/166mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 19 GiB total, 0,063 GiB free. D: is FIXED (NTFS) - 58 GiB total, 6,901 GiB free. E: is CDROM () F: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . µTorrent 2007 Microsoft Office Suite Service Pack 2 (SP2) 325 USB PC Camera Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Help Viewer CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop CS3 Adobe Reader 8.2.4 Adobe Setup Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 Allok MPEG4 Converter 6.2.0603 BS.Player FREE CorelDRAW Graphics Suite 12 FlexType 2K GameSpy Arcade Google Земя Google Update Helper Graphic Converter 2003 Hotfix for Windows Media Player 11 (KB944110) Hotfix for Windows Media Player 11 (KB944882) Hotfix for Windows Media Player 11 (KB946665) K-Lite Codec Pack 5.4.4 (Full) Macromedia Flash Player 8 Malwarebytes' Anti-Malware McAfee Security Scan Plus Microsoft .NET Framework 1.1 Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 Microsoft .NET Framework 3.5 Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Software Update for Web Folders (English) 12 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Mozilla Firefox (3.6.16) MP Manager MSXML4 Parser NOD32 antivirus system NOD32 FiX v1.7 NVIDIA Drivers PDF Settings PokerStars Prince of Persia T2T Readon TV Movie Radio Player 6.3.1.0 RocketDock 1.3.5 Security Update for Windows XP (KB941569) Skype™ 5.1 Unity Web Player WebFldrs XP Winamp Windows Bulgarian Interface Pack WinRAR archiver XML Paper Specification Shared Components Pack 1.0 YoWindow . ==== Event Viewer Messages From Past Week ======== . 31.3.2011 г. 16:36:30, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 31.3.2011 г. 16:36:16, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 31.3.2011 г. 16:36:16, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 31.3.2011 г. 16:36:11, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 31.3.2011 г. 16:36:09, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 31.3.2011 г. 16:36:05, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 31.3.2011 г. 16:36:04, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 31.3.2011 г. 16:36:03, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 22:01:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: gagp30kx 07.4.2011 г. 22:01:42, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: The specified module could not be found. 07.4.2011 г. 22:01:35, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 22:01:23, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 22:01:22, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 22:01:19, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 22:01:18, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 07.4.2011 г. 22:01:18, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 07.4.2011 г. 22:01:13, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 07.4.2011 г. 17:55:36, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 17:55:29, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 17:55:27, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 07.4.2011 г. 17:55:26, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 07.4.2011 г. 17:55:26, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 17:55:23, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 07.4.2011 г. 17:00:05, error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state. 07.4.2011 г. 16:12:58, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 16:12:54, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 16:12:44, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:55:27, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 15:55:19, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:55:11, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:42:07, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 15:41:50, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:41:49, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:41:39, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:41:38, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:32:39, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 15:32:27, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:32:19, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:32:11, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 15:32:10, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 14:33:08, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 10:33:18, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 10:33:16, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 10:33:02, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 10:32:44, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 10:32:42, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 09:22:16, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 07.4.2011 г. 09:22:10, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 07.4.2011 г. 09:22:10, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 07.4.2011 г. 09:21:58, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 09:21:57, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 09:21:54, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 07.4.2011 г. 09:21:53, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 07.4.2011 г. 09:21:47, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 21:05:07, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 06.4.2011 г. 21:05:02, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 21:04:50, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 21:04:46, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 06.4.2011 г. 21:04:46, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 06.4.2011 г. 21:04:42, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 21:04:35, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 06.4.2011 г. 21:04:35, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 18:21:39, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 06.4.2011 г. 18:21:35, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 18:21:19, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 18:21:12, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 06.4.2011 г. 18:21:12, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 06.4.2011 г. 18:21:10, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 18:21:07, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 18:21:03, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 06.4.2011 г. 14:33:01, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 13:51:55, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 06.4.2011 г. 13:51:46, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 13:51:28, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 13:51:25, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 13:51:13, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 11:00:44, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 06.4.2011 г. 11:00:33, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 11:00:22, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 11:00:15, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 06.4.2011 г. 11:00:15, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 22:59:54, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period. 05.4.2011 г. 18:19:09, error: Service Control Manager [7000] - The AMON service failed to start due to the following error: The system cannot find the file specified. 05.4.2011 г. 18:19:05, error: Service Control Manager [7000] - The AMON service failed to start due to the following error: The system cannot find the file specified. 05.4.2011 г. 18:19:02, error: Service Control Manager [7000] - The AMON service failed to start due to the following error: The system cannot find the file specified. 05.4.2011 г. 18:18:37, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: A dynamic link library (DLL) initialization routine failed. 05.4.2011 г. 18:18:37, error: Service Control Manager [7000] - The AMON service failed to start due to the following error: The system cannot find the file specified. 05.4.2011 г. 18:18:15, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 05.4.2011 г. 18:18:15, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 05.4.2011 г. 18:18:14, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 18:18:07, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 18:18:07, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 18:18:06, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 18:17:57, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.108 did not allow the name to be claimed by this machine. 05.4.2011 г. 16:28:35, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 16:28:34, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: A dynamic link library (DLL) initialization routine failed. 05.4.2011 г. 16:28:34, error: Service Control Manager [7000] - The AMON service failed to start due to the following error: The system cannot find the file specified. 05.4.2011 г. 16:27:59, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 16:27:56, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 16:27:56, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 14:33:03, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 13:50:14, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 13:50:11, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: A dynamic link library (DLL) initialization routine failed. 05.4.2011 г. 13:50:11, error: Service Control Manager [7000] - The AMON service failed to start due to the following error: The system cannot find the file specified. 05.4.2011 г. 13:49:35, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 13:49:33, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 13:49:32, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 11:25:49, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 05.4.2011 г. 11:25:42, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 11:25:34, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 05.4.2011 г. 11:25:34, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 05.4.2011 г. 11:25:28, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 11:25:21, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 05.4.2011 г. 11:25:20, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 05.4.2011 г. 11:25:20, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 04.4.2011 г. 15:25:11, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 04.4.2011 г. 15:25:08, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 04.4.2011 г. 15:24:54, error: NetBT [4321] - The name "COMPUTERS :20" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 04.4.2011 г. 15:24:54, error: NetBT [4321] - The name "COMPUTERS :0" could not be registered on the Interface with IP address 94.156.70.118. The machine with the IP address 94.156.70.74 did not allow the name to be claimed by this machine. 04.4.2011 г. 15:24:52, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 04.4.2011 г. 15:24:42, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6B29B067-9340-4E09-B9B2-6A80C589AE70} because another computer on the network has the same name. The server could not start. 04.4.2011 г. 15:24:41, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 04.4.2011 г. 15:24:41, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 03.4.2011 г. 21:16:30, error: Service Control Manager [7023] - The Network Helper service terminated with the following error: Access is denied. 03.4.2011 г. 21:16:27, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 03.4.2011 г. 21:16:15, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with..

Здравейте rock n roll,

Аз съм B-boy[styLe] и ще ви помагам да почистите система си от зловреден софтуер (ако има такъв). Анализа на логовете, както и премахването на зловредния софтуер, може да отнеме време, затова бъдете търпелив. Имайте предвид следното:

• Аз ще ви помагам главно за почистването на системата от зловреден софтуер. За всякакви други проблеми, създайте нова тема в съответния форум и опиши детайлно проблема.
• Инструкциите се отнасят само за този проблем и само за този компютър.
• Следвайте инструкциите ми стриктно, докато не ви кажа, че системата ви е напълно чиста. Това, че симптомите са изчезнали, не значи че всичко е наред.
• Ако не разбирате нещо, по-добре ме попитайте, не рискувайте. По-добре е малко да се позабавим, отколкото да усложним нещата.
• Цялата кореспонденция ще минава през тази тема.

Не се учудвам, че са ви навестили червеи. Вие използвате кракната антивирусна програма, което е недопустимо!!!

NOD32 FiX v1.7

Следвайте следните стъпки за работа с ComboFix:

1. Изтеглете ComboFix от BleepingComputer

След изтегляне на файла го запишете (бутон Save -> Save as) ComboFix на вашия десктоп, снимка:

След като изтеглите ComboFix на десктопа, иконката на програмата би трябвало да изглежда така:

2. Затворете всички работещи приложения или отворени прозорци. Прекратете временно работата на антивирусната програма и на други програми за сигурност, ако има такива. За целта може да прегледате информацията от този линк: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs.

3. Стартирайте с двоен клик Combofix.exe. За целта използвайте YES, за да се съгласите с условията за използване на програмата. Важно: след като се стартира ComboFix не бива да се движи мишката или да се кликва върху отворения прозорец на програмата. Просто търпеливо оставете ComboFix да си свърши работата, без да използвате компютъра за други цели.

4. ComboFix ще провери дали Windows Recovery Console e инсталиранa.

*Ако Windows Recovery Console е инсталирана, ComboFix ще продължи работата си.

*Ако Windows Recovery Console не е инсталирана, ще е необходимо да използвате YES за инсталация на Windows Recovery Console, виж снимката:

Забележка: Необходимо е да сте свързани към Интернет за да може Windows Recovery Console да се изтегли.

След инсталация на Windows Recovery Console потвърдете с YES, за да продължите напред. Снимка:

5. ComboFix ще спре временно Интернет връзката, но след като приключи работата на програмата тази връзка ще бъде възстановена автоматично. ComboFix ще сканира за проблеми и за заразени файлове, като това може да отнеме известно време. Моля да бъдете търпеливи. Ако има проблем с Интернет връзката, моля да прочетете това: Manually restoring the Internet connection section.

Забележка: При проблеми с ComboFix копирайте (Copy) и поставете (Paste) съдържанието на C:\BUG.txt в следващия си коментар.

6. Когато работата на ComboFix приключи, ще се появи текстов документ (log) в Notepad, виж снимката:

Копирайте (Copy) и поставете (Paste) съдържанието на лога в следващия си коментар.

Поздрави !

ComboFix 11-04-07.08 - abc 04.2011 г. 13:28:30.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.152 [GMT 3:00] Running from: c:\documents and settings\abc\Desktop\ComboFix.exe AV: ESET NOD32 antivirus system 2.70 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\abc\Local Settings\Application Data\rqdo14bohag8267px7x7s78dhims4lnw1 c:\documents and settings\abc\Templates\rqdo14bohag8267px7x7s78dhims4lnw1 c:\documents and settings\All Users\Application Data\rqdo14bohag8267px7x7s78dhims4lnw1 C:\Install.exe . . ((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 ))))))))))))))))))))))))))))))) . . 2011-04-08 09:54 . 2011-04-08 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles 2011-04-07 18:37 . 2011-04-07 18:37 -------- d-----w- c:\documents and settings\abc\Application Data\TeamViewer 2011-04-07 18:31 . 2011-04-07 18:31 -------- d-----w- c:\documents and settings\abc\Application Data\Malwarebytes 2011-04-07 18:31 . 2010-12-20 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-04-07 18:31 . 2011-04-07 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-04-07 18:31 . 2010-12-20 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-04-07 18:31 . 2011-04-07 18:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-04-01 12:45 . 2011-04-01 12:45 -------- d-----w- c:\documents and settings\abc\Application Data\Unity 2011-04-01 12:40 . 2011-04-01 12:40 -------- d-----w- c:\documents and settings\abc\Local Settings\Application Data\Unity 2011-03-14 21:06 . 2011-03-14 21:06 -------- d--h--w- c:\windows\system32\GroupPolicy . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-04 07:26 . 2011-02-04 07:26 684544 ----a-w- c:\windows\system32\yowindow.scr . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools Lite"="d:\demon tools\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056] "RocketDock"="d:\wallpapers\OTH Wallpapers\RocketDock\RocketDock.exe" [2007-09-02 495616] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-29 950664] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "nwiz"="nwiz.exe" [2008-05-16 1630208] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480] "tsnp325"="c:\windows\tsnp325.exe" [2006-10-10 270336] "snp325"="c:\windows\vsnp325.exe" [2006-10-10 827392] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2010-11-03 413696] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2008-04-14 99840] . c:\documents and settings\abc\Start Menu\Programs\Startup\ Registration Prince of Persia T2T.LNK - d:\films\Prince Of Percia The Two Thrones\Support\Register\RegistrationReminder.exe [N/A] ubisoft register.lnk - d:\films\Rayman 3 [Request] {Pi4agata2}\Register\schedule.exe [N/A] YoWindow.lnk - d:\yowindow\yowindow.exe [2011-2-2 740352] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2010-3-29 151552] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "d:\\Volley\\Blobby\\volley.exe"= "d:\\Utorrent\\utorrent.exe"= "d:\\Headoff\\Garena\\Garena.exe"= "d:\\Warcraft\\hostbot\\GarenaHostBot.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6519:TCP"= 6519:TCP:qxotpctf . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02.6.2010 г. 14:13 717296] R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [29.3.2010 г. 21:36 15424] R3 GGSAFERDriver;GGSAFER Driver;\??\d:\headoff\Garena\safedrv.sys --> d:\headoff\Garena\safedrv.sys [?] R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [31.3.2010 г. 21:14 26624] R3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [02.4.2010 г. 16:56 10251904] S2 fhjqgvm;Network Helper;c:\windows\system32\svchost.exe -k netsvcs [14.4.2008 г. 11:42 14336] S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30.3.2010 г. 18:07 135664] S3 BULKUSB;SiGma Chip SG851 IO driver;c:\windows\system32\drivers\BULKUSB.sys [03.10.2010 г. 15:31 17664] S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\abc\LOCALS~1\Temp\LDV8B5.tmp --> c:\docume~1\abc\LOCALS~1\Temp\LDV8B5.tmp [?] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15.1.2010 г. 15:49 227232] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - IDSVC . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs fhjqgvm . Contents of the 'Scheduled Tasks' folder . 2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 15:07] . 2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 15:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.bg/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to AMV Converter... - d:\city\AMVConverter\grab.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html IE: MediaManager tool grab multimedia file - d:\city\MediaManager\grab.html LSP: c:\windows\system32\imon.dll FF - ProfilePath - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\6qf9t5z7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/ FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60002&qkw= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Autofill Forms: [email protected] - %profile%\extensions\[email protected] FF - Ext: FastestFox: [email protected] - %profile%\extensions\[email protected] FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d} FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} FF - Ext: MinimizeToTrayPlus: {de1b245c-de57-11da-ba2d-0050c2490048} - %profile%\extensions\{de1b245c-de57-11da-ba2d-0050c2490048} FF - Ext: Destroy the Web: {7BDB48D1-CD94-4B99-A5A4-E418B9EE6532} - %profile%\extensions\{7BDB48D1-CD94-4B99-A5A4-E418B9EE6532} FF - Ext: Play drums!: [email protected] - %profile%\extensions\[email protected] FF - Ext: Xultris: {bed1bcec-57d3-47e1-a32b-b4e5f3003019} - %profile%\extensions\{bed1bcec-57d3-47e1-a32b-b4e5f3003019} FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} . - - - - ORPHANS REMOVED - - - - . WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) AddRemove-Graphic Converter 2003 - d:\progra~1\GRAPHI~1\UNWISE.EXE . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-08 13:34 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] "ImagePath"="\??\c:\docume~1\abc\LOCALS~1\Temp\LDV8B5.tmp" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fhjqgvm] "ServiceDll"="c:\windows\system32\czjfoc.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(592) c:\windows\system32\imon.dll . Completion time: 2011-04-08 13:37:07 ComboFix-quarantined-files.txt 2011-04-08 10:36 . Pre-Run: 10 860 204 032 bytes free Post-Run: 11 709 902 848 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 35231DECC173E9D891DDA048C560501A

Какво следва?

Здравейте,

Извинявам се за забавянето, но бях възпрепятстван.

Имам един въпрос...защо половината от програмите ви стартират от дял D:\ ?

*. Отворете notepad.exe и с copy/paste въведете следната информация:

http://www.kaldata.com/forums/index.php?showtopic=175499

KILLALL::
Driver::
fhjqgvm
IDSVC
Collect::
c:\windows\system32\yowindow.scr
c:\Windows\system32\drivers\idsvc.sys
c:\windows\system32\czjfoc.dll
d:\yowindow\yowindow.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6519:TCP"=-
NetSvc::
fhjqgvm

Запазете файла с име CFScript и го провлачете и пуснете в Combofix (както е показано на картинката отдолу).

*. По време на сканиране от страна на ComboFix не стартирайте никакви други приложения, не натискайте клавиши от клавиатурата и не местете мишката !

*. По време на тази операция Combofix ще отвори диалогов прозорец. Със скрипта който изпълнихте той ще архивира и ще изпрати няколко файлове за анализ. Необходимо е да се свързан към Интеренет преди да натиснете OK. Ще се появи син прозорец чрез който вие можете да проследите цялата операция. Накарая ще получите съобщението "Upload was Successful".

*. Ако по някаква причина Combofix не успее да изпрати файловете (вижте снимката отдолу):

тогава просто кликнете върху файла C:\CF-Submit.htm и следвайте инструкциите за да го изпратите.

*. Когато Combofix приключи ще създаде лог файла. Моя, публикувайте този файл в следващия си пост.

Поздрави !

[b]http://www.kaldata.com/forums/index.php?showtopic=175499[/b]

KILLALL::
Driver::
fhjqgvm
IDSVC
Collect::
c:\windows\system32\yowindow.scr
c:\Windows\system32\drivers\idsvc.sys
c:\windows\system32\czjfoc.dll
d:\yowindow\yowindow.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6519:TCP"=-
NetSvc::
fhjqgvm

Ама да копирам дори линка към темата ли...

Редактирано 9 април 201115 г. от rock n roll (преглед на промените)

Целия скрипт както съм го написал...

ComboFix 11-04-08.02 - abc 04.2011 г. 16:34:24.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.196 [GMT 3:00] Running from: c:\documents and settings\abc\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . file zipped: c:\windows\system32\yowindow.scr file zipped: d:\yowindow\yowindow.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\_000008_.tmp.dll c:\windows\system32\yowindow.scr d:\yowindow\yowindow.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_FHJQGVM -------\Legacy_IDSVC -------\Service_fhjqgvm -------\Service_idsvc . . ((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 ))))))))))))))))))))))))))))))) . . 2011-04-08 17:29 . 2011-04-08 17:29 -------- d-----w- c:\windows\system32\KB905474 2011-04-08 17:02 . 2011-04-08 17:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2011-04-08 15:38 . 2011-04-08 15:38 -------- d-sh--w- c:\documents and settings\abc\PrivacIE 2011-04-08 15:35 . 2011-04-08 15:35 -------- d-sh--w- c:\documents and settings\abc\IETldCache 2011-04-08 15:30 . 2010-10-18 11:10 7680 ------w- c:\windows\system32\dllcache\iecompat.dll 2011-04-08 15:29 . 2010-12-20 23:59 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2011-04-08 15:29 . 2010-12-20 23:59 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll 2011-04-08 15:29 . 2010-12-20 23:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2011-04-08 15:29 . 2010-12-20 23:59 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2011-04-08 15:29 . 2010-12-20 23:59 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll 2011-04-08 15:29 . 2010-12-21 02:29 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll 2011-04-08 15:29 . 2010-12-20 23:59 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2011-04-08 15:27 . 2011-04-08 15:29 -------- dc-h--w- c:\windows\ie8 2011-04-08 15:27 . 2011-04-08 15:28 -------- d-----w- c:\windows\system32\bg-BG 2011-04-08 15:01 . 2011-04-08 15:01 -------- d-----w- c:\program files\MSXML 4.0 2011-04-08 12:19 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys 2011-04-08 12:19 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys 2011-04-08 12:19 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll 2011-04-08 12:19 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2011-04-08 12:19 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2011-04-08 12:19 . 2010-08-26 13:39 357248 ------w- c:\windows\system32\dllcache\srv.sys 2011-04-08 12:18 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll 2011-04-08 12:18 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2011-04-08 12:17 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2011-04-08 12:15 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2011-04-08 12:15 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys 2011-04-08 12:14 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll 2011-04-08 12:14 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll 2011-04-08 12:13 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll 2011-04-08 12:13 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll 2011-04-08 12:13 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll 2011-04-08 12:13 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe 2011-04-08 12:13 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe 2011-04-08 12:13 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe 2011-04-08 12:13 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll 2011-04-08 12:13 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll 2011-04-08 12:12 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2011-04-08 12:11 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll 2011-04-08 12:11 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys 2011-04-08 12:11 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe 2011-04-08 12:11 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll 2011-04-08 12:08 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2011-04-08 12:07 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll 2011-04-08 12:02 . 2010-12-09 15:15 718336 ------w- c:\windows\system32\dllcache\ntdll.dll 2011-04-08 12:02 . 2010-12-09 13:42 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2011-04-08 12:02 . 2010-12-09 13:38 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2011-04-08 12:02 . 2010-12-09 13:07 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2011-04-08 12:02 . 2010-12-09 13:07 2069376 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2011-04-08 12:01 . 2010-07-12 12:55 218112 ------w- c:\windows\system32\dllcache\wordpad.exe 2011-04-08 12:01 . 2009-12-09 05:53 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll 2011-04-08 12:01 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe 2011-04-08 12:01 . 2010-08-26 12:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-04-08 12:01 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll 2011-04-08 12:00 . 2011-04-09 08:36 -------- d--h--w- c:\windows\$hf_mig$ 2011-04-08 11:30 . 2009-08-06 16:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui 2011-04-08 11:30 . 2009-08-06 16:24 44768 ----a-w- c:\windows\system32\wups2.dll 2011-04-08 11:30 . 2009-08-06 16:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui 2011-04-08 11:30 . 2009-08-06 16:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2011-04-08 11:30 . 2009-08-06 16:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui 2011-04-08 11:28 . 2011-04-08 11:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET 2011-04-08 11:00 . 2011-04-08 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2011-04-08 10:53 . 2011-04-08 10:53 -------- d-----w- c:\windows\system32\xircom 2011-04-08 10:53 . 2011-04-08 10:53 -------- d-----w- c:\windows\system32\wbem\snmp 2011-04-08 10:53 . 2011-04-08 10:53 -------- d-----w- c:\program files\microsoft frontpage 2011-04-08 09:54 . 2011-04-08 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles 2011-04-07 18:37 . 2011-04-07 18:37 -------- d-----w- c:\documents and settings\abc\Application Data\TeamViewer 2011-04-07 18:31 . 2011-04-07 18:31 -------- d-----w- c:\documents and settings\abc\Application Data\Malwarebytes 2011-04-07 18:31 . 2010-12-20 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-04-07 18:31 . 2011-04-07 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-04-07 18:31 . 2010-12-20 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-04-07 18:31 . 2011-04-07 18:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-04-01 12:45 . 2011-04-01 12:45 -------- d-----w- c:\documents and settings\abc\Application Data\Unity 2011-04-01 12:40 . 2011-04-01 12:40 -------- d-----w- c:\documents and settings\abc\Local Settings\Application Data\Unity 2011-03-14 21:06 . 2011-03-14 21:06 -------- d--h--w- c:\windows\system32\GroupPolicy . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-09 13:53 . 2008-04-14 08:42 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2008-04-14 08:41 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-02 07:58 . 2010-03-29 16:56 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2010-03-29 16:56 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2008-04-14 08:42 439296 ----a-w- c:\windows\system32\shimgvw.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools Lite"="d:\demon tools\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056] "RocketDock"="d:\wallpapers\OTH Wallpapers\RocketDock\RocketDock.exe" [2007-09-02 495616] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "nwiz"="nwiz.exe" [2008-05-16 1630208] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "tsnp325"="c:\windows\tsnp325.exe" [2006-10-10 270336] "snp325"="c:\windows\vsnp325.exe" [2006-10-10 827392] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-12 2029640] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2009-03-08 128512] . c:\documents and settings\abc\Start Menu\Programs\Startup\ Registration Prince of Persia T2T.LNK - d:\films\Prince Of Percia The Two Thrones\Support\Register\RegistrationReminder.exe [N/A] ubisoft register.lnk - d:\films\Rayman 3 [Request] {Pi4agata2}\Register\schedule.exe [N/A] YoWindow.lnk - d:\yowindow\yowindow.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2010-3-29 151552] . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "d:\\Volley\\Blobby\\volley.exe"= "d:\\Utorrent\\utorrent.exe"= "d:\\Headoff\\Garena\\Garena.exe"= "d:\\Warcraft\\hostbot\\GarenaHostBot.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02.6.2010 г. 14:13 717296] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12.5.2009 г. 06:33 107256] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12.5.2009 г. 06:34 94360] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12.5.2009 г. 06:33 731840] R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [31.3.2010 г. 21:14 26624] R3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [02.4.2010 г. 16:56 10251904] S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30.3.2010 г. 18:07 135664] S3 BULKUSB;SiGma Chip SG851 IO driver;c:\windows\system32\drivers\BULKUSB.sys [03.10.2010 г. 15:31 17664] S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\abc\LOCALS~1\Temp\LDV8B5.tmp --> c:\docume~1\abc\LOCALS~1\Temp\LDV8B5.tmp [?] S3 GGSAFERDriver;GGSAFER Driver;\??\d:\headoff\Garena\safedrv.sys --> d:\headoff\Garena\safedrv.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 15:07] . 2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-30 15:07] . 2011-04-09 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2011-04-08 19:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.bg/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to AMV Converter... - d:\city\AMVConverter\grab.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html IE: MediaManager tool grab multimedia file - d:\city\MediaManager\grab.html FF - ProfilePath - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\6qf9t5z7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/ FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60002&qkw= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Autofill Forms: [email protected] - %profile%\extensions\[email protected] FF - Ext: FastestFox: [email protected] - %profile%\extensions\[email protected] FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d} FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} FF - Ext: MinimizeToTrayPlus: {de1b245c-de57-11da-ba2d-0050c2490048} - %profile%\extensions\{de1b245c-de57-11da-ba2d-0050c2490048} FF - Ext: Destroy the Web: {7BDB48D1-CD94-4B99-A5A4-E418B9EE6532} - %profile%\extensions\{7BDB48D1-CD94-4B99-A5A4-E418B9EE6532} FF - Ext: Play drums!: [email protected] - %profile%\extensions\[email protected] FF - Ext: Xultris: {bed1bcec-57d3-47e1-a32b-b4e5f3003019} - %profile%\extensions\{bed1bcec-57d3-47e1-a32b-b4e5f3003019} FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} . - - - - ORPHANS REMOVED - - - - . HKLM-Run-FixCamera - c:\windows\FixCamera.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-09 16:43 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] "ImagePath"="\??\c:\docume~1\abc\LOCALS~1\Temp\LDV8B5.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2700) c:\windows\system32\WININET.dll d:\wallpapers\OTH Wallpapers\RocketDock\RocketDock.dll c:\windows\system32\newdll.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\webcheck.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2011-04-09 16:52:04 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-09 13:51 ComboFix2.txt 2011-04-08 10:37 . Pre-Run: 9 841 065 984 bytes free Post-Run: 9 834 201 088 bytes free . - - End Of File - - DE10ED19777066EA3D29B40B8EEB47C0 Upload was successful

Здравейте,

Лог файла изглежда доста по-добре.

Тъй като без да искам съм премахнал две легитимни неща (за което се извинявам), моля направете следното за да ги възстановите:

Изтеглете и преинсталирайте следните две приложения: Microsoft .Net Framework 3.5 Redist и YoWindow 2

След това да продължим с почистването:

СТЪПКА 1 (описанието е взето от статията на Night_Raven)

Изпълнете следните стъпки за да почистите и имунизирате USB флаш паметите:

Имунизация на USB флаш устройство(а)

Инструменти за това има повече от един, но аз предпочитам и препоръчвам Flash_Disinfector (от автора на ComboFix). Работата с нея не е сложна:

1) уверявате се, че нямате никакви външни USB устройства свързани (твърди дискове, flash памети и др.)

2) стартирате инструмента и изчакайте съобщението, когато ще бъдете помолени да свържете наличните USB устройства;

3) свържете колкото се може повече USB устройства и кликнете OK; ако имате доста такива или нямате нужния брой USB портове, ще трябва да повторите тази операция за останалите;

4) изчакайте интструментът да си свърши работата и кликнете бутон OK в прозореца с надпис "Done !!".

Важно за Flash_Disinfector:

Инструментът ще създаде специални папки/файлове на име autorun.inf на всички дялове на всички твърди дискове и USB устройства, които сте свързали. Това се прави нарочно и има за цел да предпазва от бъдещо заразяване на USB устройството, ако бъде свързано на друг компютър.

Някои антивирусни могат да засекат инструмента като заплаха. Това е фалшива тревога.

СТЪПКА 2

Изтеглете и инсталирайте следните 3 кръпки: KB958687, KB957097, KB958644.

Рестартирайте машината.

СТЪПКА 3

Стартирайте отново Malwarebytes' Anti-Malware.

* Отидете до табът UPDATE и натиснете бутона Check for updates.

* След това се върнете до табът Scanner, сложете отметка пред "Perform Quick Scan", след това кликнете на Scan.

* Сканирането ще отнеме малко време, затова моля бъдете търпеливи.

* Когато сканирането завърши, кликнете на OK, след това Show Results, за да видите резултата.

* Уверете се, че на всички редове има отметки, и кликнете Remove Selected.

* Когато всичко бъде премахнато, логът ще бъде отворен в Notepad. Копирайте лога и го публикувайте в следващия си коментар в темата.

Бележка: Ако MalwareBytes' Anti-Malware се затрудни в премахването на откритите вируси/заплахи, той ще поиска да рестартира компютъра Ви и по време на рестартирането да премахне проблемните вируси/заплахи. Ако бъдете попитани, потвърдете че желаете вашия компютър да бъде рестартиран.

Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Версия на базата от данни: 6320 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 09.4.2011 г. 23:27:52 mbam-log-2011-04-09 (23-27-52).txt Тип сканиране: Бързо сканиране Сканирани обекти: 142323 Изминало време: 16 минута(и), 4 секунда(и) Заразени процеси в паметта: 0 Заразени модули в паметта: 0 Заразени ключове в регистратурата: 0 Заразени стойности в регистратурата: 0 Заразени информационни обекти в регистратурата: 0 Заразени папки: 0 Заразени файлове: 0 Заразени процеси в паметта: (Не бяха открити зловредни обекти) Заразени модули в паметта: (Не бяха открити зловредни обекти) Заразени ключове в регистратурата: (Не бяха открити зловредни обекти) Заразени стойности в регистратурата: (Не бяха открити зловредни обекти) Заразени информационни обекти в регистратурата: (Не бяха открити зловредни обекти) Заразени папки: (Не бяха открити зловредни обекти) Заразени файлове: (Не бяха открити зловредни обекти)

Супер...вече не се виждат остатъци от червея Conficker.

За да бъдем напълно сигурни обаче нека да направим една финална проверка:

1) Изтеглете: ESET Online Scanner

2) Стартирайте esetsmartinstaller_enu.exe

3) Сложете отметка на YES, I accept the Terms of Use и изберете Start

4) Скенерът ще започне да изтегля компонентите, които са му необходими.

5) Уверете се, че има отметки на следните редове, включително и тези от менюто Advanced Settings:

• Scan archives

Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technology

Забележка: Не слагайте отметка пред Remove found threats

И накрая изберете Start

6) Скенерът ще започне да изтегля последните дефиниции.

7) След, като сканирането завърши изберете Finish.

8) Отидете в:

C:\Program Files\ESET\ESET Online Scanner

Отворете файла log.txt , копирайте съдържанието му и го поставете в следващия си пост тук.

ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6425 # api_version=3.0.2 # EOSSerial=3138ca46ba3c234c975f972a1f6854de # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2011-04-10 11:34:43 # local_time=2011-04-10 02:34:43 (+0200, FLE Daylight Time) # country="Bulgaria" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8199 39157077 100 100 48951 60327737 0 0 # scanned=119330 # found=2 # cleaned=0 # scan_time=8443 # nod_component=V3 Build:0x30000000 D:\Downloads\details.zip Win32/TrojanDownloader.Stohil.M trojan (unable to clean) 00000000000000000000000000000000 I D:\Warcraft\Warcraft III - The Frozen Throne\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I

D:\Downloads\details.zip Win32/TrojanDownloader.Stohil.M trojan (unable to clean) 00000000000000000000000000000000 I

D:\Warcraft\Warcraft III - The Frozen Throne\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I

Да нямате две инсталации - едната на C:\ и едната на D:\

Ако е така може да се наложи да се логнете в другата за да могат да се изтрият файловете.

Преинсталирахте ли и програмите които ви казах по-нагоре ?

Какво е моментното състояние на системата в момента ?

По-добре се държи. Благодаря много за помощта!

Само съм длъжен да спомена следните неща:

µTorrent => На мен ми е ясно, че няма да я деинсталирате, но поне внимавайте какво теглите и винаги проверявайте свалените неща първо с антивирусната си програма без да игнорирате съобщенията, които тя ви дава преди да инсталирате нещо.

Adobe Reader 8.2.4 => обновете го с последната версия Adobe Reader X или го заменете с по-безопастната програмта Foxit Reader (Само внимавайте да не качите ASK toolbar-a по време на инсталацията на Foxit).

FlexType 2K => За предпочитане е да го разкарате... Ето как

След това можете да си сложите някоя свястна фонетика например тази

McAfee Security Scan Plus => Деинсталирайте този онлайн скенер.

NOD32 antivirus system + NOD32 FiX v1.7 => задължително деинсталирайте тези неща и си сложете някоя безплатна алтернатива като Avast! 6 или Avira 10

Безопасно сърфиране.