Значи искам да попитам как да я махна тази уж антивирусна програма.. Засича вируси ,които нямам.Във интернет намерих инструкций ,но са на английски език.Ако някой по подробно и по най-лесният начин ми каже как да я махна,ще съм много благодарен.

Здравейте,

Следвайте инструкциите от тази тема:

Системата ми е инфектирана - Какво да правя сега?

Здравейте,

Следвайте инструкциите от тази тема:

Системата ми е инфектирана - Какво да правя сега?

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 6.0.2900.2149

Run by name at 10:51:08 on 2011-06-06

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.767.405 [GMT 3:00]

.

AV: PC Security Guardian *Enabled/Updated* {23AE6E7D-22A6-4188-8F4D-5B47337133D0}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: PC Security Guardian *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\Datecs\Flex2K.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = hxxp://izarc.org/donate.html

BHO: ShopperReports: {100eb1fd-d03e-47fd-81f3-ee91287f9465} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

EB: ShopperReports – Price Comparison: {a7cddcdc-beeb-4685-a062-978f5e07ceee} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [ares] "c:\program files\ares\Ares.exe" -h

uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe

uRun: [PC Security Guardian] "c:\documents and settings\all users\application data\7b3df2\PS7b3_284.exe" /s /d

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exe

mRun: [bigDogPath] c:\windows\VM_STI.EXE CANYON CN-WCAM23 PC-Camera

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\windows\datecs\Flex2K.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 0 = msseces.exe

uPolicies-disallowrun: 1 = MSASCui.exe

uPolicies-disallowrun: 2 = ekrn.exe

uPolicies-disallowrun: 3 = egui.exe

uPolicies-disallowrun: 4 = avgnt.exe

uPolicies-disallowrun: 5 = avcenter.exe

uPolicies-disallowrun: 6 = avscan.exe

uPolicies-disallowrun: 7 = avgfrw.exe

uPolicies-disallowrun: 8 = avgui.exe

uPolicies-disallowrun: 9 = avgtray.exe

uPolicies-disallowrun: 10 = avgscanx.exe

uPolicies-disallowrun: 11 = avgcfgex.exe

uPolicies-disallowrun: 12 = avgemc.exe

uPolicies-disallowrun: 13 = avgchsvx.exe

uPolicies-disallowrun: 14 = avgcmgr.exe

uPolicies-disallowrun: 15 = avgwdsvc.exe

mPolicies-explorer: UseDesktopIniCache = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{00AFF642-0357-4FF9-B967-B7BB6502E570} : DhcpNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

IFEO: image file execution options - svchost.exe

IFEO: a.exe - svchost.exe

IFEO: aAvgApi.exe - svchost.exe

IFEO: AAWTray.exe - svchost.exe

IFEO: About.exe - svchost.exe

.

Note: multiple IFEO entries found. Please refer to Attach.txt

Hosts: 69.72.252.252 www.google.com

Hosts: 178.17.165.3 www.google.com

Hosts: 69.72.252.252 www.google.com.au

Hosts: 178.17.165.3 www.google.com.au

Hosts: 69.72.252.252 www.google.be

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\name\application data\mozilla\firefox\profiles\s7l8pd6b.default\

FF - prefs.js: browser.search.selectedEngine - search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\name\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: PandoraTV Toolbar: [email protected] - %profile%\extensions\[email protected]

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-1 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-1 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-1 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-1 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-1 40384]

.

=============== Created Last 30 ================

.

2011-06-06 07:25:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2011-06-06 06:55:56 -------- d-sh--w- c:\documents and settings\name\application data\PC Security Guardian

2011-06-06 06:55:55 -------- d-sh--w- c:\documents and settings\all users\application data\PSQKGJOG

2011-06-06 06:55:22 -------- d-sh--w- c:\documents and settings\all users\application data\7b3df2

2011-05-28 14:09:32 -------- d-----w- c:\documents and settings\name\application data\go

2011-05-28 14:09:21 -------- d-----w- c:\documents and settings\all users\application data\Easybits GO

2011-05-20 08:21:29 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-05-20 08:21:28 143872 ----a-w- c:\windows\system32\xvid.ax

2011-05-20 08:21:25 -------- d-----w- c:\program files\Xvid

2011-05-18 07:15:01 -------- d-----w- c:\documents and settings\all users\application data\Skype Extras

2011-05-16 14:06:16 1090952 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

2011-05-07 16:47:20 -------- d-----w- c:\documents and settings\name\application data\Unity

.

==================== Find3M ====================

.

2011-03-19 15:04:28 650752 ----a-w- c:\windows\system32\xvidcore.dll

.

============= FINISH: 10:51:38,96 ===============.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 6.0.2900.2149

Run by name at 10:51:08 on 2011-06-06

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.767.405 [GMT 3:00]

.

AV: PC Security Guardian *Enabled/Updated* {23AE6E7D-22A6-4188-8F4D-5B47337133D0}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: PC Security Guardian *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\Datecs\Flex2K.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = hxxp://izarc.org/donate.html

BHO: ShopperReports: {100eb1fd-d03e-47fd-81f3-ee91287f9465} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

EB: ShopperReports – Price Comparison: {a7cddcdc-beeb-4685-a062-978f5e07ceee} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [ares] "c:\program files\ares\Ares.exe" -h

uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe

uRun: [PC Security Guardian] "c:\documents and settings\all users\application data\7b3df2\PS7b3_284.exe" /s /d

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exe

mRun: [bigDogPath] c:\windows\VM_STI.EXE CANYON CN-WCAM23 PC-Camera

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\windows\datecs\Flex2K.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 0 = msseces.exe

uPolicies-disallowrun: 1 = MSASCui.exe

uPolicies-disallowrun: 2 = ekrn.exe

uPolicies-disallowrun: 3 = egui.exe

uPolicies-disallowrun: 4 = avgnt.exe

uPolicies-disallowrun: 5 = avcenter.exe

uPolicies-disallowrun: 6 = avscan.exe

uPolicies-disallowrun: 7 = avgfrw.exe

uPolicies-disallowrun: 8 = avgui.exe

uPolicies-disallowrun: 9 = avgtray.exe

uPolicies-disallowrun: 10 = avgscanx.exe

uPolicies-disallowrun: 11 = avgcfgex.exe

uPolicies-disallowrun: 12 = avgemc.exe

uPolicies-disallowrun: 13 = avgchsvx.exe

uPolicies-disallowrun: 14 = avgcmgr.exe

uPolicies-disallowrun: 15 = avgwdsvc.exe

mPolicies-explorer: UseDesktopIniCache = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shopperreports3\bin\3.1.22.0\ShopperReports.dll

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{00AFF642-0357-4FF9-B967-B7BB6502E570} : DhcpNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

IFEO: image file execution options - svchost.exe

IFEO: a.exe - svchost.exe

IFEO: aAvgApi.exe - svchost.exe

IFEO: AAWTray.exe - svchost.exe

IFEO: About.exe - svchost.exe

.

Note: multiple IFEO entries found. Please refer to Attach.txt

Hosts: 69.72.252.252 www.google.com

Hosts: 178.17.165.3 www.google.com

Hosts: 69.72.252.252 www.google.com.au

Hosts: 178.17.165.3 www.google.com.au

Hosts: 69.72.252.252 www.google.be

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\name\application data\mozilla\firefox\profiles\s7l8pd6b.default\

FF - prefs.js: browser.search.selectedEngine - search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\name\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: PandoraTV Toolbar: [email protected] - %profile%\extensions\[email protected]

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-1 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-1 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-1 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-1 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-1 40384]

.

=============== Created Last 30 ================

.

2011-06-06 07:25:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2011-06-06 06:55:56 -------- d-sh--w- c:\documents and settings\name\application data\PC Security Guardian

2011-06-06 06:55:55 -------- d-sh--w- c:\documents and settings\all users\application data\PSQKGJOG

2011-06-06 06:55:22 -------- d-sh--w- c:\documents and settings\all users\application data\7b3df2

2011-05-28 14:09:32 -------- d-----w- c:\documents and settings\name\application data\go

2011-05-28 14:09:21 -------- d-----w- c:\documents and settings\all users\application data\Easybits GO

2011-05-20 08:21:29 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-05-20 08:21:28 143872 ----a-w- c:\windows\system32\xvid.ax

2011-05-20 08:21:25 -------- d-----w- c:\program files\Xvid

2011-05-18 07:15:01 -------- d-----w- c:\documents and settings\all users\application data\Skype Extras

2011-05-16 14:06:16 1090952 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

2011-05-07 16:47:20 -------- d-----w- c:\documents and settings\name\application data\Unity

.

==================== Find3M ====================

.

2011-03-19 15:04:28 650752 ----a-w- c:\windows\system32\xvidcore.dll

.

============= FINISH: 10:51:38,96 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-03.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 01.9.2010 г. 14:29:29

System Uptime: 06.6.2011 г. 10:18:15 (0 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P4P800-X

Processor: Intel® Celeron® CPU 2.40GHz | CPU 1 | 2400/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 21 GiB total, 13,522 GiB free.

D: is FIXED (NTFS) - 28 GiB total, 12,348 GiB free.

E: is FIXED (NTFS) - 28 GiB total, 26,265 GiB free.

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Image File Execution Options =============

.

IFEO: image file execution options - svchost.exe

IFEO: a.exe - svchost.exe

IFEO: aAvgApi.exe - svchost.exe

IFEO: AAWTray.exe - svchost.exe

IFEO: About.exe - svchost.exe

IFEO: ackwin32.exe - svchost.exe

IFEO: Ad-Aware.exe - svchost.exe

IFEO: adaware.exe - svchost.exe

IFEO: advxdwin.exe - svchost.exe

IFEO: AdwarePrj.exe - svchost.exe

IFEO: agent.exe - svchost.exe

IFEO: agentsvr.exe - svchost.exe

IFEO: agentw.exe - svchost.exe

IFEO: alertsvc.exe - svchost.exe

IFEO: alevir.exe - svchost.exe

IFEO: alogserv.exe - svchost.exe

IFEO: AlphaAV - svchost.exe

IFEO: AlphaAV.exe - svchost.exe

IFEO: AluSchedulerSvc.exe - svchost.exe

IFEO: amon9x.exe - svchost.exe

IFEO: anti-trojan.exe - svchost.exe

IFEO: Anti-Virus Professional.exe - svchost.exe

IFEO: AntispywarXP2009.exe - svchost.exe

IFEO: antivirus.exe - svchost.exe

IFEO: AntivirusPlus - svchost.exe

IFEO: AntivirusPlus.exe - svchost.exe

IFEO: AntivirusPro_2010.exe - svchost.exe

IFEO: AntivirusXP - svchost.exe

IFEO: AntivirusXP.exe - svchost.exe

IFEO: antivirusxppro2009.exe - svchost.exe

IFEO: AntiVirus_Pro.exe - svchost.exe

IFEO: ants.exe - svchost.exe

IFEO: apimonitor.exe - svchost.exe

IFEO: aplica32.exe - svchost.exe

IFEO: apvxdwin.exe - svchost.exe

IFEO: arr.exe - svchost.exe

IFEO: Arrakis3.exe - svchost.exe

IFEO: ashAvast.exe - svchost.exe

IFEO: ashBug.exe - svchost.exe

IFEO: ashChest.exe - svchost.exe

IFEO: ashCnsnt.exe - svchost.exe

IFEO: ashDisp.exe - svchost.exe

IFEO: ashLogV.exe - svchost.exe

IFEO: ashMaiSv.exe - svchost.exe

IFEO: ashPopWz.exe - svchost.exe

IFEO: ashQuick.exe - svchost.exe

IFEO: ashServ.exe - svchost.exe

IFEO: ashSimp2.exe - svchost.exe

IFEO: ashSimpl.exe - svchost.exe

IFEO: ashSkPcc.exe - svchost.exe

IFEO: ashSkPck.exe - svchost.exe

IFEO: ashUpd.exe - svchost.exe

IFEO: ashWebSv.exe - svchost.exe

IFEO: aswChLic.exe - svchost.exe

IFEO: aswRegSvr.exe - svchost.exe

IFEO: aswRunDll.exe - svchost.exe

IFEO: aswUpdSv.exe - svchost.exe

IFEO: atcon.exe - svchost.exe

IFEO: atguard.exe - svchost.exe

IFEO: atro55en.exe - svchost.exe

IFEO: atupdater.exe - svchost.exe

IFEO: atwatch.exe - svchost.exe

IFEO: au.exe - svchost.exe

IFEO: aupdate.exe - svchost.exe

IFEO: auto-protect.nav80try.exe - svchost.exe

IFEO: autodown.exe - svchost.exe

IFEO: autotrace.exe - svchost.exe

IFEO: autoupdate.exe - svchost.exe

IFEO: av360.exe - svchost.exe

IFEO: avadmin.exe - svchost.exe

IFEO: AVCare.exe - svchost.exe

IFEO: avcenter.exe - svchost.exe

IFEO: avciman.exe - svchost.exe

IFEO: avconfig.exe - svchost.exe

IFEO: avconsol.exe - svchost.exe

IFEO: ave32.exe - svchost.exe

IFEO: AVENGINE.EXE - svchost.exe

IFEO: avgcc32.exe - svchost.exe

IFEO: avgchk.exe - svchost.exe

IFEO: avgcmgr.exe - svchost.exe

IFEO: avgcsrvx.exe - svchost.exe

IFEO: avgctrl.exe - svchost.exe

IFEO: avgdumpx.exe - svchost.exe

IFEO: avgemc.exe - svchost.exe

IFEO: avgiproxy.exe - svchost.exe

IFEO: avgnsx.exe - svchost.exe

IFEO: avgnt.exe - svchost.exe

IFEO: avgrsx.exe - svchost.exe

IFEO: avgscanx.exe - svchost.exe

IFEO: avgserv.exe - svchost.exe

IFEO: avgserv9.exe - svchost.exe

IFEO: avgsrmax.exe - svchost.exe

IFEO: avgtray.exe - svchost.exe

IFEO: avgui.exe - svchost.exe

IFEO: avgupd.exe - svchost.exe

IFEO: avgw.exe - svchost.exe

IFEO: avgwdsvc.exe - svchost.exe

IFEO: avkpop.exe - svchost.exe

IFEO: avkserv.exe - svchost.exe

IFEO: avkservice.exe - svchost.exe

IFEO: avkwctl9.exe - svchost.exe

IFEO: avltmain.exe - svchost.exe

IFEO: avmailc.exe - svchost.exe

IFEO: avmcdlg.exe - svchost.exe

IFEO: avnotify.exe - svchost.exe

IFEO: avnt.exe - svchost.exe

IFEO: avp32.exe - svchost.exe

IFEO: avpcc.exe - svchost.exe

IFEO: avpdos32.exe - svchost.exe

IFEO: avpm.exe - svchost.exe

IFEO: avptc32.exe - svchost.exe

IFEO: avpupd.exe - svchost.exe

IFEO: avsched32.exe - svchost.exe

IFEO: avsynmgr.exe - svchost.exe

IFEO: avupgsvc.exe - svchost.exe

IFEO: AVWEBGRD.EXE - svchost.exe

IFEO: avwin.exe - svchost.exe

IFEO: avwin95.exe - svchost.exe

IFEO: avwinnt.exe - svchost.exe

IFEO: avwsc.exe - svchost.exe

IFEO: avwupd.exe - svchost.exe

IFEO: avwupd32.exe - svchost.exe

IFEO: avwupsrv.exe - svchost.exe

IFEO: avxmonitor9x.exe - svchost.exe

IFEO: avxmonitornt.exe - svchost.exe

IFEO: avxquar.exe - svchost.exe

IFEO: b.exe - svchost.exe

IFEO: backweb.exe - svchost.exe

IFEO: bargains.exe - svchost.exe

IFEO: bdagent.exe - svchost.exe

IFEO: bdfvcl.exe - svchost.exe

IFEO: bdfvwiz.exe - svchost.exe

IFEO: BDInProcPatch.exe - svchost.exe

IFEO: bdmcon.exe - svchost.exe

IFEO: BDMsnScan.exe - svchost.exe

IFEO: bdreinit.exe - svchost.exe

IFEO: bdsubwiz.exe - svchost.exe

IFEO: BDSurvey.exe - svchost.exe

IFEO: bdtkexec.exe - svchost.exe

IFEO: bdwizreg.exe - svchost.exe

IFEO: bd_professional.exe - svchost.exe

IFEO: beagle.exe - svchost.exe

IFEO: belt.exe - svchost.exe

IFEO: bidef.exe - svchost.exe

IFEO: bidserver.exe - svchost.exe

IFEO: bipcp.exe - svchost.exe

IFEO: bipcpevalsetup.exe - svchost.exe

IFEO: bisp.exe - svchost.exe

IFEO: blackd.exe - svchost.exe

IFEO: blackice.exe - svchost.exe

IFEO: blink.exe - svchost.exe

IFEO: blss.exe - svchost.exe

IFEO: bootconf.exe - svchost.exe

IFEO: bootwarn.exe - svchost.exe

IFEO: borg2.exe - svchost.exe

IFEO: bpc.exe - svchost.exe

IFEO: brasil.exe - svchost.exe

IFEO: brastk.exe - svchost.exe

IFEO: brw.exe - svchost.exe

IFEO: bs120.exe - svchost.exe

IFEO: bspatch.exe - svchost.exe

IFEO: bundle.exe - svchost.exe

IFEO: bvt.exe - svchost.exe

IFEO: c.exe - svchost.exe

IFEO: cavscan.exe - svchost.exe

IFEO: ccapp.exe - svchost.exe

IFEO: ccevtmgr.exe - svchost.exe

IFEO: ccpxysvc.exe - svchost.exe

IFEO: ccSvcHst.exe - svchost.exe

IFEO: cdp.exe - svchost.exe

IFEO: cfd.exe - svchost.exe

IFEO: cfgwiz.exe - svchost.exe

IFEO: cfiadmin.exe - svchost.exe

IFEO: cfiaudit.exe - svchost.exe

IFEO: cfinet.exe - svchost.exe

IFEO: cfinet32.exe - svchost.exe

IFEO: cfp.exe - svchost.exe

IFEO: cfpconfg.exe - svchost.exe

IFEO: cfplogvw.exe - svchost.exe

IFEO: cfpupdat.exe - svchost.exe

IFEO: Cl.exe - svchost.exe

IFEO: claw95.exe - svchost.exe

IFEO: claw95cf.exe - svchost.exe

IFEO: clean.exe - svchost.exe

IFEO: cleaner.exe - svchost.exe

IFEO: cleaner3.exe - svchost.exe

IFEO: cleanIELow.exe - svchost.exe

IFEO: cleanpc.exe - svchost.exe

IFEO: click.exe - svchost.exe

IFEO: cmd32.exe - svchost.exe

IFEO: cmdagent.exe - svchost.exe

IFEO: cmesys.exe - svchost.exe

IFEO: cmgrdian.exe - svchost.exe

IFEO: cmon016.exe - svchost.exe

IFEO: connectionmonitor.exe - svchost.exe

IFEO: control - svchost.exe

IFEO: cpd.exe - svchost.exe

IFEO: cpf9x206.exe - svchost.exe

IFEO: cpfnt206.exe - svchost.exe

IFEO: crashrep.exe - svchost.exe

IFEO: csc.exe - svchost.exe

IFEO: cssconfg.exe - svchost.exe

IFEO: cssupdat.exe - svchost.exe

IFEO: cssurf.exe - svchost.exe

IFEO: ctrl.exe - svchost.exe

IFEO: cv.exe - svchost.exe

IFEO: cwnb181.exe - svchost.exe

IFEO: cwntdwmo.exe - svchost.exe

IFEO: d.exe - svchost.exe

IFEO: datemanager.exe - svchost.exe

IFEO: dcomx.exe - svchost.exe

IFEO: defalert.exe - svchost.exe

IFEO: defscangui.exe - svchost.exe

IFEO: defwatch.exe - svchost.exe

IFEO: deloeminfs.exe - svchost.exe

IFEO: deputy.exe - svchost.exe

IFEO: divx.exe - svchost.exe

IFEO: dllcache.exe - svchost.exe

IFEO: dllreg.exe - svchost.exe

IFEO: doors.exe - svchost.exe

IFEO: dop.exe - svchost.exe

IFEO: dpf.exe - svchost.exe

IFEO: dpfsetup.exe - svchost.exe

IFEO: dpps2.exe - svchost.exe

IFEO: driverctrl.exe - svchost.exe

IFEO: drwatson.exe - svchost.exe

IFEO: drweb32.exe - svchost.exe

IFEO: drwebupw.exe - svchost.exe

IFEO: dssagent.exe - svchost.exe

IFEO: dvp95.exe - svchost.exe

IFEO: dvp95_0.exe - svchost.exe

IFEO: ecengine.exe - svchost.exe

IFEO: efpeadm.exe - svchost.exe

IFEO: egui.exe - svchost.exe

IFEO: ekrn.exe - svchost.exe

IFEO: emsw.exe - svchost.exe

IFEO: ent.exe - svchost.exe

IFEO: esafe.exe - svchost.exe

IFEO: escanhnt.exe - svchost.exe

IFEO: escanv95.exe - svchost.exe

IFEO: espwatch.exe - svchost.exe

IFEO: ethereal.exe - svchost.exe

IFEO: etrustcipe.exe - svchost.exe

IFEO: evpn.exe - svchost.exe

IFEO: exantivirus-cnet.exe - svchost.exe

IFEO: exe.avxw.exe - svchost.exe

IFEO: expert.exe - svchost.exe

IFEO: explore.exe - svchost.exe

IFEO: f-agnt95.exe - svchost.exe

IFEO: f-prot.exe - svchost.exe

IFEO: f-prot95.exe - svchost.exe

IFEO: f-stopw.exe - svchost.exe

IFEO: fact.exe - svchost.exe

IFEO: fameh32.exe - svchost.exe

IFEO: fast.exe - svchost.exe

IFEO: fch32.exe - svchost.exe

IFEO: fih32.exe - svchost.exe

IFEO: findviru.exe - svchost.exe

IFEO: firewall.exe - svchost.exe

IFEO: fixcfg.exe - svchost.exe

IFEO: fixfp.exe - svchost.exe

IFEO: fnrb32.exe - svchost.exe

IFEO: fp-win.exe - svchost.exe

IFEO: fp-win_trial.exe - svchost.exe

IFEO: fprot.exe - svchost.exe

IFEO: frmwrk32.exe - svchost.exe

IFEO: frw.exe - svchost.exe

IFEO: fsaa.exe - svchost.exe

IFEO: fsav.exe - svchost.exe

IFEO: fsav32.exe - svchost.exe

IFEO: fsav530stbyb.exe - svchost.exe

IFEO: fsav530wtbyb.exe - svchost.exe

IFEO: fsav95.exe - svchost.exe

IFEO: fsgk32.exe - svchost.exe

IFEO: fsm32.exe - svchost.exe

IFEO: fsma32.exe - svchost.exe

IFEO: fsmb32.exe - svchost.exe

IFEO: gator.exe - svchost.exe

IFEO: gav.exe - svchost.exe

IFEO: gbmenu.exe - svchost.exe

IFEO: gbn976rl.exe - svchost.exe

IFEO: gbpoll.exe - svchost.exe

IFEO: generics.exe - svchost.exe

IFEO: gmt.exe - svchost.exe

IFEO: guard.exe - svchost.exe

IFEO: guarddog.exe - svchost.exe

IFEO: guardgui.exe - svchost.exe

IFEO: hacktracersetup.exe - svchost.exe

IFEO: hbinst.exe - svchost.exe

IFEO: hbsrv.exe - svchost.exe

IFEO: History.exe - svchost.exe

IFEO: homeav2010.exe - svchost.exe

IFEO: hotactio.exe - svchost.exe

IFEO: hotpatch.exe - svchost.exe

IFEO: htlog.exe - svchost.exe

IFEO: htpatch.exe - svchost.exe

IFEO: hwpe.exe - svchost.exe

IFEO: hxdl.exe - svchost.exe

IFEO: hxiul.exe - svchost.exe

IFEO: iamapp.exe - svchost.exe

IFEO: iamserv.exe - svchost.exe

IFEO: iamstats.exe - svchost.exe

IFEO: ibmasn.exe - svchost.exe

IFEO: ibmavsp.exe - svchost.exe

IFEO: icload95.exe - svchost.exe

IFEO: icloadnt.exe - svchost.exe

IFEO: icmon.exe - svchost.exe

IFEO: icsupp95.exe - svchost.exe

IFEO: icsuppnt.exe - svchost.exe

IFEO: Identity.exe - svchost.exe

IFEO: idle.exe - svchost.exe

IFEO: iedll.exe - svchost.exe

IFEO: iedriver.exe - svchost.exe

IFEO: IEShow.exe - svchost.exe

IFEO: iface.exe - svchost.exe

IFEO: ifw2000.exe - svchost.exe

IFEO: inetlnfo.exe - svchost.exe

IFEO: infus.exe - svchost.exe

IFEO: infwin.exe - svchost.exe

IFEO: init.exe - svchost.exe

IFEO: init32.exe - svchost.exe

IFEO: install.exe - svchost.exe

IFEO: install[1].exe - svchost.exe

IFEO: install[2].exe - svchost.exe

IFEO: install[3].exe - svchost.exe

IFEO: install[4].exe - svchost.exe

IFEO: install[5].exe - svchost.exe

IFEO: intdel.exe - svchost.exe

IFEO: intren.exe - svchost.exe

IFEO: iomon98.exe - svchost.exe

IFEO: istsvc.exe - svchost.exe

IFEO: jammer.exe - svchost.exe

IFEO: jdbgmrg.exe - svchost.exe

IFEO: jedi.exe - svchost.exe

IFEO: JsRcGen.exe - svchost.exe

IFEO: kavlite40eng.exe - svchost.exe

IFEO: kavpers40eng.exe - svchost.exe

IFEO: kavpf.exe - svchost.exe

IFEO: kazza.exe - svchost.exe

IFEO: keenvalue.exe - svchost.exe

IFEO: kerio-pf-213-en-win.exe - svchost.exe

IFEO: kerio-wrl-421-en-win.exe - svchost.exe

IFEO: kerio-wrp-421-en-win.exe - svchost.exe

IFEO: killprocesssetup161.exe - svchost.exe

IFEO: ldnetmon.exe - svchost.exe

IFEO: ldpro.exe - svchost.exe

IFEO: ldpromenu.exe - svchost.exe

IFEO: ldscan.exe - svchost.exe

IFEO: licmgr.exe - svchost.exe

IFEO: livesrv.exe - svchost.exe

IFEO: lnetinfo.exe - svchost.exe

IFEO: loader.exe - svchost.exe

IFEO: localnet.exe - svchost.exe

IFEO: lockdown.exe - svchost.exe

IFEO: lockdown2000.exe - svchost.exe

IFEO: lookout.exe - svchost.exe

IFEO: lordpe.exe - svchost.exe

IFEO: lsetup.exe - svchost.exe

IFEO: luall.exe - svchost.exe

IFEO: luau.exe - svchost.exe

IFEO: lucomserver.exe - svchost.exe

IFEO: luinit.exe - svchost.exe

IFEO: luspt.exe - svchost.exe

IFEO: MalwareRemoval.exe - svchost.exe

IFEO: mapisvc32.exe - svchost.exe

IFEO: mcagent.exe - svchost.exe

IFEO: mcmnhdlr.exe - svchost.exe

IFEO: mcmscsvc.exe - svchost.exe

IFEO: mcnasvc.exe - svchost.exe

IFEO: mcproxy.exe - svchost.exe

IFEO: McSACore.exe - svchost.exe

IFEO: mcshell.exe - svchost.exe

IFEO: mcshield.exe - svchost.exe

IFEO: mcsysmon.exe - svchost.exe

IFEO: mctool.exe - svchost.exe

IFEO: mcupdate.exe - svchost.exe

IFEO: mcvsrte.exe - svchost.exe

IFEO: mcvsshld.exe - svchost.exe

IFEO: md.exe - svchost.exe

IFEO: mfin32.exe - svchost.exe

IFEO: mfw2en.exe - svchost.exe

IFEO: mfweng3.02d30.exe - svchost.exe

IFEO: mgavrtcl.exe - svchost.exe

IFEO: mgavrte.exe - svchost.exe

IFEO: mghtml.exe - svchost.exe

IFEO: mgui.exe - svchost.exe

IFEO: minilog.exe - svchost.exe

IFEO: mmod.exe - svchost.exe

IFEO: monitor.exe - svchost.exe

IFEO: moolive.exe - svchost.exe

IFEO: mostat.exe - svchost.exe

IFEO: mpfagent.exe - svchost.exe

IFEO: mpfservice.exe - svchost.exe

IFEO: MPFSrv.exe - svchost.exe

IFEO: mpftray.exe - svchost.exe

IFEO: mrflux.exe - svchost.exe

IFEO: mrt.exe - svchost.exe

IFEO: msa.exe - svchost.exe

IFEO: msapp.exe - svchost.exe

IFEO: MSASCui.exe - svchost.exe

IFEO: msbb.exe - svchost.exe

IFEO: msblast.exe - svchost.exe

IFEO: mscache.exe - svchost.exe

IFEO: msccn32.exe - svchost.exe

IFEO: mscman.exe - svchost.exe

IFEO: msconfig - svchost.exe

IFEO: msdm.exe - svchost.exe

IFEO: msdos.exe - svchost.exe

IFEO: msfwsvc.exe - svchost.exe

IFEO: msiexec16.exe - svchost.exe

IFEO: mslaugh.exe - svchost.exe

IFEO: msmgt.exe - svchost.exe

IFEO: MsMpEng.exe - svchost.exe

IFEO: msmsgri32.exe - svchost.exe

IFEO: msseces.exe - svchost.exe

IFEO: mssmmc32.exe - svchost.exe

IFEO: mssys.exe - svchost.exe

IFEO: msvxd.exe - svchost.exe

IFEO: mu0311ad.exe - svchost.exe

IFEO: mwatch.exe - svchost.exe

IFEO: n32scanw.exe - svchost.exe

IFEO: nav.exe - svchost.exe

IFEO: navap.navapsvc.exe - svchost.exe

IFEO: navapsvc.exe - svchost.exe

IFEO: navapw32.exe - svchost.exe

IFEO: navdx.exe - svchost.exe

IFEO: navlu32.exe - svchost.exe

IFEO: navnt.exe - svchost.exe

IFEO: navstub.exe - svchost.exe

IFEO: navw32.exe - svchost.exe

IFEO: navwnt.exe - svchost.exe

IFEO: nc2000.exe - svchost.exe

IFEO: ncinst4.exe - svchost.exe

IFEO: ndd32.exe - svchost.exe

IFEO: neomonitor.exe - svchost.exe

IFEO: neowatchlog.exe - svchost.exe

IFEO: netarmor.exe - svchost.exe

IFEO: netd32.exe - svchost.exe

IFEO: netinfo.exe - svchost.exe

IFEO: netmon.exe - svchost.exe

IFEO: netscanpro.exe - svchost.exe

IFEO: netspyhunter-1.2.exe - svchost.exe

IFEO: netutils.exe - svchost.exe

IFEO: nisserv.exe - svchost.exe

IFEO: nisum.exe - svchost.exe

IFEO: nmain.exe - svchost.exe

IFEO: nod32.exe - svchost.exe

IFEO: normist.exe - svchost.exe

IFEO: norton_internet_secu_3.0_407.exe - svchost.exe

IFEO: notstart.exe - svchost.exe

IFEO: npf40_tw_98_nt_me_2k.exe - svchost.exe

IFEO: npfmessenger.exe - svchost.exe

IFEO: nprotect.exe - svchost.exe

IFEO: npscheck.exe - svchost.exe

IFEO: npssvc.exe - svchost.exe

IFEO: nsched32.exe - svchost.exe

IFEO: nssys32.exe - svchost.exe

IFEO: nstask32.exe - svchost.exe

IFEO: nsupdate.exe - svchost.exe

IFEO: nt.exe - svchost.exe

IFEO: ntrtscan.exe - svchost.exe

IFEO: ntvdm.exe - svchost.exe

IFEO: ntxconfig.exe - svchost.exe

IFEO: nui.exe - svchost.exe

IFEO: nupgrade.exe - svchost.exe

IFEO: nvarch16.exe - svchost.exe

IFEO: nvc95.exe - svchost.exe

IFEO: nvsvc32.exe - svchost.exe

IFEO: nwinst4.exe - svchost.exe

IFEO: nwservice.exe - svchost.exe

IFEO: nwtool16.exe - svchost.exe

IFEO: OAcat.exe - svchost.exe

IFEO: OAhlp.exe - svchost.exe

IFEO: OAReg.exe - svchost.exe

IFEO: oasrv.exe - svchost.exe

IFEO: oaui.exe - svchost.exe

IFEO: oaview.exe - svchost.exe

IFEO: OcHealthMon.exe - svchost.exe

IFEO: ODSW.exe - svchost.exe

IFEO: ollydbg.exe - svchost.exe

IFEO: OLT.exe - svchost.exe

IFEO: onsrvr.exe - svchost.exe

IFEO: optimize.exe - svchost.exe

IFEO: ostronet.exe - svchost.exe

IFEO: otfix.exe - svchost.exe

IFEO: outpost.exe - svchost.exe

IFEO: outpostinstall.exe - svchost.exe

IFEO: outpostproinstall.exe - svchost.exe

IFEO: ozn695m5.exe - svchost.exe

IFEO: padmin.exe - svchost.exe

IFEO: panixk.exe - svchost.exe

IFEO: patch.exe - svchost.exe

IFEO: pav.exe - svchost.exe

IFEO: pavcl.exe - svchost.exe

IFEO: PavFnSvr.exe - svchost.exe

IFEO: pavproxy.exe - svchost.exe

IFEO: pavprsrv.exe - svchost.exe

IFEO: pavsched.exe - svchost.exe

IFEO: pavsrv51.exe - svchost.exe

IFEO: pavw.exe - svchost.exe

IFEO: pc.exe - svchost.exe

IFEO: pccwin98.exe - svchost.exe

IFEO: pcfwallicon.exe - svchost.exe

IFEO: pcip10117_0.exe - svchost.exe

IFEO: pcscan.exe - svchost.exe

IFEO: pctsAuxs.exe - svchost.exe

IFEO: pctsGui.exe - svchost.exe

IFEO: pctsSvc.exe - svchost.exe

IFEO: pctsTray.exe - svchost.exe

IFEO: PC_Antispyware2010.exe - svchost.exe

IFEO: pdfndr.exe - svchost.exe

IFEO: pdsetup.exe - svchost.exe

IFEO: PerAvir.exe - svchost.exe

IFEO: periscope.exe - svchost.exe

IFEO: persfw.exe - svchost.exe

IFEO: personalguard - svchost.exe

IFEO: personalguard.exe - svchost.exe

IFEO: perswf.exe - svchost.exe

IFEO: pf2.exe - svchost.exe

IFEO: pfwadmin.exe - svchost.exe

IFEO: pgmonitr.exe - svchost.exe

IFEO: pingscan.exe - svchost.exe

IFEO: platin.exe - svchost.exe

IFEO: pop3trap.exe - svchost.exe

IFEO: poproxy.exe - svchost.exe

IFEO: popscan.exe - svchost.exe

IFEO: portdetective.exe - svchost.exe

IFEO: portmonitor.exe - svchost.exe

IFEO: powerscan.exe - svchost.exe

IFEO: ppinupdt.exe - svchost.exe

IFEO: pptbc.exe - svchost.exe

IFEO: ppvstop.exe - svchost.exe

IFEO: prizesurfer.exe - svchost.exe

IFEO: prmt.exe - svchost.exe

IFEO: prmvr.exe - svchost.exe

IFEO: procdump.exe - svchost.exe

IFEO: processmonitor.exe - svchost.exe

IFEO: procexplorerv1.0.exe - svchost.exe

IFEO: programauditor.exe - svchost.exe

IFEO: proport.exe - svchost.exe

IFEO: protector.exe - svchost.exe

IFEO: protectx.exe - svchost.exe

IFEO: PSANCU.exe - svchost.exe

IFEO: PSANHost.exe - svchost.exe

IFEO: PSANToManager.exe - svchost.exe

IFEO: PsCtrls.exe - svchost.exe

IFEO: PsImSvc.exe - svchost.exe

IFEO: PskSvc.exe - svchost.exe

IFEO: pspf.exe - svchost.exe

IFEO: PSUNMain.exe - svchost.exe

IFEO: purge.exe - svchost.exe

IFEO: qconsole.exe - svchost.exe

IFEO: qh.exe - svchost.exe

IFEO: qserver.exe - svchost.exe

IFEO: Quick Heal.exe - svchost.exe

IFEO: QuickHealCleaner.exe - svchost.exe

IFEO: rapapp.exe - svchost.exe

IFEO: rav7.exe - svchost.exe

IFEO: rav7win.exe - svchost.exe

IFEO: rav8win32eng.exe - svchost.exe

IFEO: ray.exe - svchost.exe

IFEO: rb32.exe - svchost.exe

IFEO: rcsync.exe - svchost.exe

IFEO: realmon.exe - svchost.exe

IFEO: reged.exe - svchost.exe

IFEO: regedt32.exe - svchost.exe

IFEO: rescue.exe - svchost.exe

IFEO: rescue32.exe - svchost.exe

IFEO: rrguard.exe - svchost.exe

IFEO: rscdwld.exe - svchost.exe

IFEO: rshell.exe - svchost.exe

IFEO: rtvscan.exe - svchost.exe

IFEO: rtvscn95.exe - svchost.exe

IFEO: rulaunch.exe - svchost.exe

IFEO: rwg - svchost.exe

IFEO: rwg.exe - svchost.exe

IFEO: SafetyKeeper.exe - svchost.exe

IFEO: safeweb.exe - svchost.exe

IFEO: sahagent.exe - svchost.exe

IFEO: Save.exe - svchost.exe

IFEO: SaveArmor.exe - svchost.exe

IFEO: SaveDefense.exe - svchost.exe

IFEO: SaveKeep.exe - svchost.exe

IFEO: savenow.exe - svchost.exe

IFEO: sbserv.exe - svchost.exe

IFEO: sc.exe - svchost.exe

IFEO: scam32.exe - svchost.exe

IFEO: scan32.exe - svchost.exe

IFEO: scan95.exe - svchost.exe

IFEO: scanpm.exe - svchost.exe

IFEO: scrscan.exe - svchost.exe

IFEO: seccenter.exe - svchost.exe

IFEO: Secure Veteran.exe - svchost.exe

IFEO: secureveteran.exe - svchost.exe

IFEO: Security Center.exe - svchost.exe

IFEO: SecurityFighter.exe - svchost.exe

IFEO: securitysoldier.exe - svchost.exe

IFEO: serv95.exe - svchost.exe

IFEO: setloadorder.exe - svchost.exe

IFEO: setupvameeval.exe - svchost.exe

IFEO: setup_flowprotector_us.exe - svchost.exe

IFEO: sgssfw32.exe - svchost.exe

IFEO: sh.exe - svchost.exe

IFEO: shellspyinstall.exe - svchost.exe

IFEO: shield.exe - svchost.exe

IFEO: shn.exe - svchost.exe

IFEO: showbehind.exe - svchost.exe

IFEO: signcheck.exe - svchost.exe

IFEO: smart.exe - svchost.exe

IFEO: smartprotector.exe - svchost.exe

IFEO: smc.exe - svchost.exe

IFEO: smrtdefp.exe - svchost.exe

IFEO: sms.exe - svchost.exe

IFEO: smss32.exe - svchost.exe

IFEO: snetcfg.exe - svchost.exe

IFEO: soap.exe - svchost.exe

IFEO: sofi.exe - svchost.exe

IFEO: SoftSafeness.exe - svchost.exe

IFEO: sperm.exe - svchost.exe

IFEO: spf.exe - svchost.exe

IFEO: sphinx.exe - svchost.exe

IFEO: spoler.exe - svchost.exe

IFEO: spoolcv.exe - svchost.exe

IFEO: spoolsv32.exe - svchost.exe

IFEO: spywarexpguard.exe - svchost.exe

IFEO: spyxx.exe - svchost.exe

IFEO: srexe.exe - svchost.exe

IFEO: srng.exe - svchost.exe

IFEO: ss3edit.exe - svchost.exe

IFEO: ssgrate.exe - svchost.exe

IFEO: ssg_4104.exe - svchost.exe

IFEO: st2.exe - svchost.exe

IFEO: start.exe - svchost.exe

IFEO: stcloader.exe - svchost.exe

IFEO: supftrl.exe - svchost.exe

IFEO: support.exe - svchost.exe

IFEO: supporter5.exe - svchost.exe

IFEO: svc.exe - svchost.exe

IFEO: svchostc.exe - svchost.exe

IFEO: svchosts.exe - svchost.exe

IFEO: svshost.exe - svchost.exe

IFEO: sweep95.exe - svchost.exe

IFEO: sweepnet.sweepsrv.sys.swnetsup.exe - svchost.exe

IFEO: symlcsvc.exe - svchost.exe

IFEO: symproxysvc.exe - svchost.exe

IFEO: symtray.exe - svchost.exe

IFEO: system.exe - svchost.exe

IFEO: system32.exe - svchost.exe

IFEO: sysupd.exe - svchost.exe

IFEO: tapinstall.exe - svchost.exe

IFEO: taskmgr.exe - svchost.exe

IFEO: taumon.exe - svchost.exe

IFEO: tbscan.exe - svchost.exe

IFEO: tc.exe - svchost.exe

IFEO: tca.exe - svchost.exe

IFEO: tcm.exe - svchost.exe

IFEO: tds-3.exe - svchost.exe

IFEO: tds2-98.exe - svchost.exe

IFEO: tds2-nt.exe - svchost.exe

IFEO: teekids.exe - svchost.exe

IFEO: tfak.exe - svchost.exe

IFEO: tfak5.exe - svchost.exe

IFEO: tgbob.exe - svchost.exe

IFEO: titanin.exe - svchost.exe

IFEO: titaninxp.exe - svchost.exe

IFEO: TPSrv.exe - svchost.exe

IFEO: trickler.exe - svchost.exe

IFEO: trjscan.exe - svchost.exe

IFEO: trjsetup.exe - svchost.exe

IFEO: trojantrap3.exe - svchost.exe

IFEO: TrustWarrior.exe - svchost.exe

IFEO: tsadbot.exe - svchost.exe

IFEO: tsc.exe - svchost.exe

IFEO: tvmd.exe - svchost.exe

IFEO: tvtmd.exe - svchost.exe

IFEO: uiscan.exe - svchost.exe

IFEO: undoboot.exe - svchost.exe

IFEO: updat.exe - svchost.exe

IFEO: upgrad.exe - svchost.exe

IFEO: upgrepl.exe - svchost.exe

IFEO: utpost.exe - svchost.exe

IFEO: vbcmserv.exe - svchost.exe

IFEO: vbcons.exe - svchost.exe

IFEO: vbust.exe - svchost.exe

IFEO: vbwin9x.exe - svchost.exe

IFEO: vbwinntw.exe - svchost.exe

IFEO: vcsetup.exe - svchost.exe

IFEO: vet32.exe - svchost.exe

IFEO: vet95.exe - svchost.exe

IFEO: vettray.exe - svchost.exe

IFEO: vfsetup.exe - svchost.exe

IFEO: vir-help.exe - svchost.exe

IFEO: virusmdpersonalfirewall.exe - svchost.exe

IFEO: VisthAux.exe - svchost.exe

IFEO: VisthLic.exe - svchost.exe

IFEO: VisthUpd.exe - svchost.exe

IFEO: vnlan300.exe - svchost.exe

IFEO: vnpc3000.exe - svchost.exe

IFEO: vpc32.exe - svchost.exe

IFEO: vpc42.exe - svchost.exe

IFEO: vpfw30s.exe - svchost.exe

IFEO: vptray.exe - svchost.exe

IFEO: vscan40.exe - svchost.exe

IFEO: vscenu6.02d30.exe - svchost.exe

IFEO: vsched.exe - svchost.exe

IFEO: vsecomr.exe - svchost.exe

IFEO: vshwin32.exe - svchost.exe

IFEO: vsisetup.exe - svchost.exe

IFEO: vsmain.exe - svchost.exe

IFEO: vsmon.exe - svchost.exe

IFEO: vsserv.exe - svchost.exe

IFEO: vsstat.exe - svchost.exe

IFEO: vswin9xe.exe - svchost.exe

IFEO: vswinntse.exe - svchost.exe

IFEO: vswinperse.exe - svchost.exe

IFEO: w32dsm89.exe - svchost.exe

IFEO: W3asbas.exe - svchost.exe

IFEO: w9x.exe - svchost.exe

IFEO: watchdog.exe - svchost.exe

IFEO: webdav.exe - svchost.exe

IFEO: WebProxy.exe - svchost.exe

IFEO: webscanx.exe - svchost.exe

IFEO: webtrap.exe - svchost.exe

IFEO: wfindv32.exe - svchost.exe

IFEO: whoswatchingme.exe - svchost.exe

IFEO: wimmun32.exe - svchost.exe

IFEO: win-bugsfix.exe - svchost.exe

IFEO: win32.exe - svchost.exe

IFEO: win32us.exe - svchost.exe

IFEO: winactive.exe - svchost.exe

IFEO: winav.exe - svchost.exe

IFEO: windll32.exe - svchost.exe

IFEO: window.exe - svchost.exe

IFEO: windows Police Pro.exe - svchost.exe

IFEO: windows.exe - svchost.exe

IFEO: wininetd.exe - svchost.exe

IFEO: wininitx.exe - svchost.exe

IFEO: winlogin.exe - svchost.exe

IFEO: winmain.exe - svchost.exe

IFEO: winppr32.exe - svchost.exe

IFEO: winrecon.exe - svchost.exe

IFEO: winservn.exe - svchost.exe

IFEO: winss.exe - svchost.exe

IFEO: winssk32.exe - svchost.exe

IFEO: winssnotify.exe - svchost.exe

IFEO: WinSSUI.exe - svchost.exe

IFEO: winstart.exe - svchost.exe

IFEO: winstart001.exe - svchost.exe

IFEO: wintsk32.exe - svchost.exe

IFEO: winupdate.exe - svchost.exe

IFEO: wkufind.exe - svchost.exe

IFEO: wnad.exe - svchost.exe

IFEO: wnt.exe - svchost.exe

IFEO: wradmin.exe - svchost.exe

IFEO: wrctrl.exe - svchost.exe

IFEO: wsbgate.exe - svchost.exe

IFEO: wscfxas.exe - svchost.exe

IFEO: wscfxav.exe - svchost.exe

IFEO: wscfxfw.exe - svchost.exe

IFEO: wsctool.exe - svchost.exe

IFEO: wupdater.exe - svchost.exe

IFEO: wupdt.exe - svchost.exe

IFEO: wyvernworksfirewall.exe - svchost.exe

IFEO: xpdeluxe.exe - svchost.exe

IFEO: xpf202en.exe - svchost.exe

IFEO: xp_antispyware.exe - svchost.exe

IFEO: zapro.exe - svchost.exe

IFEO: zapsetup3001.exe - svchost.exe

IFEO: zatutor.exe - svchost.exe

IFEO: zonalm2601.exe - svchost.exe

IFEO: zonealarm.exe - svchost.exe

IFEO: _avp32.exe - svchost.exe

IFEO: _avpcc.exe - svchost.exe

IFEO: _avpm.exe - svchost.exe

IFEO: ~1.exe - svchost.exe

IFEO: ~2.exe - svchost.exe

.

==== Hosts File Hijack ======================

.

Hosts: 69.72.252.252 www.google.com

Hosts: 178.17.165.3 www.google.com

Hosts: 69.72.252.252 www.google.com.au

Hosts: 178.17.165.3 www.google.com.au

Hosts: 69.72.252.252 www.google.be

Hosts: 178.17.165.3 www.google.be

Hosts: 69.72.252.252 www.google.com.br

Hosts: 178.17.165.3 www.google.com.br

Hosts: 69.72.252.252 www.google.ca

Hosts: 178.17.165.3 www.google.ca

Hosts: 69.72.252.252 www.google.ch

Hosts: 178.17.165.3 www.google.ch

Hosts: 69.72.252.252 www.google.de

Hosts: 178.17.165.3 www.google.de

Hosts: 69.72.252.252 www.google.dk

Hosts: 178.17.165.3 www.google.dk

Hosts: 69.72.252.252 www.google.fr

Hosts: 178.17.165.3 www.google.fr

Hosts: 69.72.252.252 www.google.ie

Hosts: 178.17.165.3 www.google.ie

Hosts: 69.72.252.252 www.google.it

Hosts: 178.17.165.3 www.google.it

Hosts: 69.72.252.252 www.google.co.jp

Hosts: 178.17.165.3 www.google.co.jp

Hosts: 69.72.252.252 www.google.nl

Hosts: 178.17.165.3 www.google.nl

Hosts: 69.72.252.252 www.google.no

Hosts: 178.17.165.3 www.google.no

Hosts: 69.72.252.252 www.google.co.nz

Hosts: 178.17.165.3 www.google.co.nz

Hosts: 69.72.252.252 www.google.pl

Hosts: 178.17.165.3 www.google.pl

Hosts: 69.72.252.252 www.google.se

Hosts: 178.17.165.3 www.google.se

Hosts: 69.72.252.252 www.google.co.uk

Hosts: 178.17.165.3 www.google.co.uk

Hosts: 69.72.252.252 www.google.co.za

Hosts: 178.17.165.3 www.google.co.za

Hosts: 69.72.252.252 www.bing.com

Hosts: 178.17.165.3 www.bing.com

Hosts: 69.72.252.252 search.yahoo.com

Hosts: 178.17.165.3 search.yahoo.com

Hosts: 69.72.252.252 uk.search.yahoo.com

Hosts: 178.17.165.3 uk.search.yahoo.com

Hosts: 69.72.252.252 ca.search.yahoo.com

Hosts: 178.17.165.3 ca.search.yahoo.com

Hosts: 69.72.252.252 de.search.yahoo.com

Hosts: 178.17.165.3 de.search.yahoo.com

Hosts: 69.72.252.252 fr.search.yahoo.com

Hosts: 178.17.165.3 fr.search.yahoo.com

Hosts: 69.72.252.252 au.search.yahoo.com

Hosts: 178.17.165.3 au.search.yahoo.com

Hosts: 69.72.252.252 www.google-analytics.com

Hosts: 178.17.165.3 www.google-analytics.com

.

==== Installed Programs ======================

.

ACE Mega CoDecS Pack

Adobe Flash Player 10 Plugin

Adobe Reader 9.1

Ask Toolbar

avast! Free Antivirus

CANYON CN-WCAM23 PC-Camera

Download Updater (AOL LLC)

EasyBits GO

Favorite-Games 5.19

FlexType 2K

IZArc 4.1

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox (3.6.17)

MSVCRT

Nero 7 Essentials

PowerDVD

Segoe UI

ShopperReports

Skype Toolbars

Skype™ 5.3

SoundMAX

The KMPlayer (remove only)

Trojan Killer 2.0

Unity Web Player

UseNeXT

WebFldrs XP

Winamp

Winamp Detector Plug-in

Windows Installer 3.1 (KB893803)

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

Windows Media Format Runtime

Xvid Video Codec

µTorrent

.

==== Event Viewer Messages From Past Week ========

.

31.5.2011 і. 07:03:03, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

30.5.2011 і. 06:22:46, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

06.6.2011 і. 10:20:16, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

06.6.2011 і. 07:50:55, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

06.6.2011 і. 07:49:06, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00112F92BE4A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

05.6.2011 і. 06:40:45, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

04.6.2011 і. 07:31:50, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

03.6.2011 і. 06:33:03, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

02.6.2011 і. 07:07:11, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

01.6.2011 і. 06:36:47, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2550 (0x9F6).

.

==== End Of File ===========================

Ок...

Сега направете следната проверка:

• Изтеглете OTL.exe и го запазете на десктопа.
• Стартирайте файла с двукратен клик на мишката.
• Сложете отметка пред Scan All Users
• Под менюто File Age => изберете 90 days
• Под менюто Standard Registry => променете на ALL
• Сложете отметки пред LOP и Purity Check

• Под с Copy/ Paste въведете следната текстова информация:

netsvcs
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
/md5start
hlp.dat
winlogon.exe
wininit.exe
userinit.exe
explorer.exe
volsnap.sys
/md5stop

• Натиснете маркираният в синьо бутон: .
• Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt.
• Публикувайте съдържанието на лог файловете в следващия си коментар.

Файлът "OTL.Txt" е прекалено дълъг,затова ще го прикача,ето другия:

OTL Extras logfile created on: 06.6.2011 г. 11:12:53 - Run 1

OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\name\Desktop

Windows XP Professional Edition Service Pack 2, v.2149 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2149)

Locale: 00000402 | Country: Bulgaria | Language: BGR | Date Format: dd.M.yyyy 'г.'

767,23 Mb Total Physical Memory | 331,57 Mb Available Physical Memory | 43,22% Memory free

1,83 Gb Paging File | 1,48 Gb Available in Paging File | 80,90% Paging File free

Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 20,51 Gb Total Space | 13,52 Gb Free Space | 65,92% Space Free | Partition Type: NTFS

Drive D: | 27,98 Gb Total Space | 12,35 Gb Free Space | 44,14% Space Free | Partition Type: NTFS

Drive E: | 28,20 Gb Total Space | 26,27 Gb Free Space | 93,15% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: name | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)

"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD -- (CyberLink Corp.)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM

"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)

"C:\Documents and Settings\All Users\Application Data\7b3df2\PS7b3_284.exe" = C:\Documents and Settings\All Users\Application Data\7b3df2\PS7b3_284.exe:*:Enabled:PC Security Guardian -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials

"{4908C75E-E5E2-43F7-B1DF-023CBA831033}" = Nero 7 Essentials

"{5335DADB-34BA-4AE8-A519-648D78498846}" = Skype™ 5.3

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0

"{8686D4FE-62EF-46FB-B9FD-00679EB381FF}_is1" = Trojan Killer 2.0

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 4.1

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1

"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger

"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars

"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{FFFF6D5C-E2F1-4B40-BC89-8923312E89EB}}_is1" = ACE Mega CoDecS Pack

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"avast5" = avast! Free Antivirus

"CANYON CN-WCAM23 PC-Camera_is1" = CANYON CN-WCAM23 PC-Camera

"Favorite-Games_is1" = Favorite-Games 5.19

"FlexType 2K" = FlexType 2K

"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0

"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)

"ShopperReportsSA" = ShopperReports

"SoftwareUpdUtility" = Download Updater (AOL LLC)

"The KMPlayer" = The KMPlayer (remove only)

"UseNeXT_is1" = UseNeXT

"uTorrent" = µTorrent

"Winamp" = Winamp

"Windows Media Format Runtime" = Windows Media Format Runtime

"WinLiveSuite_Wave3" = Windows Live Essentials

"Xvid Video Codec 1.3.1" = Xvid Video Codec

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Game Organizer" = EasyBits GO

"UnityWebPlayer" = Unity Web Player

"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 19.3.2011 г. 01:33:10 | Computer Name = PC | Source = Windows Live Messenger | ID = 1000

Description =

Error - 21.3.2011 г. 02:37:26 | Computer Name = PC | Source = Windows Live Messenger | ID = 1000

Description =

Error - 14.5.2011 г. 00:42:44 | Computer Name = PC | Source = Windows Live Messenger | ID = 1000

Description =

Error - 14.5.2011 г. 02:25:19 | Computer Name = PC | Source = Application Hang | ID = 1002

Description = Hanging application Skype.exe, version 5.0.0.156, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 19.5.2011 г. 01:46:39 | Computer Name = PC | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 1.9.2.4127, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 19.5.2011 г. 01:46:41 | Computer Name = PC | Source = Application Error | ID = 1000

Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting

module ntdll.dll, version 5.1.2600.2149, fault address 0x000059b1.

Error - 19.5.2011 г. 14:43:37 | Computer Name = PC | Source = Application Hang | ID = 1002

Description = Hanging application Skype.exe, version 5.3.0.111, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 27.5.2011 г. 10:56:56 | Computer Name = PC | Source = Application Hang | ID = 1002

Description = Hanging application Skype.exe, version 5.3.0.111, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 01.6.2011 г. 03:57:12 | Computer Name = PC | Source = Application Hang | ID = 1002

Description = Hanging application Skype.exe, version 5.3.0.111, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 05.6.2011 г. 13:01:03 | Computer Name = PC | Source = Application Error | ID = 1000

Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting

module ntdll.dll, version 5.1.2600.2149, fault address 0x000059b1.

[ System Events ]

Error - 29.5.2011 г. 23:22:46 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 31.5.2011 г. 00:03:03 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 31.5.2011 г. 23:36:47 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 02.6.2011 г. 00:07:11 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 02.6.2011 г. 23:33:03 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 04.6.2011 г. 00:31:50 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 04.6.2011 г. 23:40:45 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 06.6.2011 г. 00:49:06 | Computer Name = PC | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.1.3 for the Network Card with network

address 00112F92BE4A has been denied by the DHCP server 192.168.1.1 (The DHCP Server

sent a DHCPNACK message).

Error - 06.6.2011 г. 00:50:55 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

Error - 06.6.2011 г. 03:20:16 | Computer Name = PC | Source = Service Control Manager | ID = 7024

Description = The Computer Browser service terminated with service-specific error

2550 (0x9F6).

< End of report >

OTL.Txt

СТЪПКА 1

Деинсталирайте следните програми от Add/Remove Programs в Control Panel-a:

-Ask Toolbar

-GridinSoft Trojan Killer

СТЪПКА 2

Отворете notepad.exe и въведете следната информация:

@echo off
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f
attrib -s -h -r "%WinDir%\system32\drivers\etc\hosts"

Запазете файла с името fix.bat и го стартирайте.

СТЪПКА 3

Cтартирайте пак OTL и с Copy/ Paste под колонката Custom Scans/Fixes въведете скриптовия текст от текстовото поле по-долу, като не забравяте да копирате скрипта 1 към 1, както и двете точки преди първия ред на скрипта!

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (PandoraTV Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (PandoraTV Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\..\Toolbar\WebBrowser: (PandoraTV Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003..\Run: [ares]  File not found
O4 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003..\Run: [PC Security Guardian]  File not found
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 0 = msseces.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = MSASCui.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = ekrn.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 3 = egui.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 4 = avgnt.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 5 = avcenter.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 6 = avscan.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 7 = avgfrw.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 8 = avgui.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 9 = avgtray.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 10 = avgscanx.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 11 = avgcfgex.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 12 = avgemc.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 13 = avgchsvx.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 14 = avgcmgr.exe
O7 - HKU\S-1-5-21-1482476501-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 15 = avgwdsvc.exe
[2011.06.06 10:25:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft
[2011.06.06 10:25:38 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2011.06.06 09:55:56 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\name\Application Data\PC Security Guardian
[2011.06.06 09:55:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\7b3df2
[2011.06.06 11:01:00 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011.06.06 10:19:03 | 000,001,785 | ---- | C] () -- C:\Documents and Settings\name\Start Menu\Programs\PC Security Guardian.lnk
[2011.06.06 09:56:02 | 000,001,797 | ---- | C] () -- C:\Documents and Settings\name\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Security Guardian.lnk
:Files
dir /s /a "C:\Documents and Settings\All Users\Application Data\BF8051E7-626F-4a11-AF7A-625A7B555862 " /c
dir /s /a "C:\Documents and Settings\All Users\Application Data\PSQKGJOG " /c
:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\All Users\Application Data\7b3df2\PS7b3_284.exe" =-
:Commands
[resethosts]
[reboot]

След като въведете скрипта от цитата по-горе натиснете бутона, маркиран в червено:

Ще се създаде лог файл. Публикувайте съдържанието му с Copy/Paste в следващия си коментар.

PS: Ако не се появи лог файл, отворете папката C:\_OTL\MovedFiles отворете лог файла и публикувайте съдържанието му в следващия си пост.

СТЪПКА 4

• Изтеглете Malwarebytes' Anti-Malware оттук и я инсталирайте.
• Стартирайте Malwarebytes' Anti-Malware и отидете на UPDATE и натиснете Check for updates.
• След това се върнете на Scanner изберете Perform FULL Scan, след това кликнете на Scan.
• Сканирането ще отнеме малко време, затова моля бъдете търпеливи.
• Когато сканирането завърши, кликнете на OK, след това Show Results, за да видите резултата.
• Уверете се, че на всички редове има отметки, и кликнете Remove Selected.
• Когато всичко бъде премахнато, логът ще бъде отворен в Notepad. Копирайте лога и го публикувайте в следващия си коментар в темата.

Забележка: Ако MalwareBytes' Anti-Malware се затрудни в премахването на откритите вируси/заплахи, той ще поиска да рестартира компютъра и по време на рестартирането да премахне проблемните вируси/заплахи. Ако бъдете попитани, потвърдете че желаете вашия компютър да бъде рестартиран.

Заповядайте и извинете за забавянето!

OTL.Txt

MBAM.txt

Редактирано 6 юни 201115 г. от Минков (преглед на промените)

Добра работа...

Сега да проверим за рууткити:

СТЪПКА 1

Следвайте следната инструкция за работа с GMER:

• Изтеглете този файл и го разархивирайте на десктопа.
• Временно спрете Интернет и всички работещи програми, както и антивирусната си програма (ако има такава).
• Преименувайте GMER.exe на Tool.exe и го стартирайте.

  Забележки:

  1. Сканирането може да доведе до грешки, затова не предприемайте никакви действия върху редовете маркирани с "<--- ROOKIT" без да имате инструкция за това.

  2. Ако GMER не се стартира или не работи коректно, не предприемайте повторен опит за стартиране. Moже да пробвате и в Safe Mode, но само веднъж.

• Ако бъде открит Rootkit, ще последва въпрос дали желаете пълно сканиране на системата. Изберете NO.
• В десния панел на програмата ще видите какво е проверено, но не променяйте нищо. Убедете се, че на Show All няма отметка.
• Маркирайте всички устройства: C:, D: и пр.
• Натиснете бутона Scan и изчакайте програмата да завърши сканирането.
• Когато завърши сканирането, натиснете бутона Save и запишете (save as) резултатите на десктопа с име: Results.log
• Вече можете да включите Интернет.

СТЪПКА 2

Моля, изтеглете aswMBR и го запазете на вашия десктоп.

• Кликнете с двоен клин на мишката върху файла aswMBR.exe за да го стартирате.
• Изберете Scan бутона, за да започне проверката.
• Когато проверката завърши, натиснете бутона save log, запазете съдържанието на лог файла на десктопа и публикувайте съдържанието му в следващия си коментар.

Поздрави !

Заповядайте!

aswMBR.txt

А лог файла от Gmer ?

Имали сте бууткит Sinowal зараза в MBR записа.

19:03:23.968    Disk 0 malicious Win32:MBRoot code @ sector 61 !
19:03:24.000    Disk 0 PE file @ sector 160810650 !

Би трябвало той да е неактивен, а това което се показва в лог файла да е бекъп копието му, което няма как да се изчисти без форматиране, изтриване и създаване на дяла отново. Но мисля, че това не е необходимо след като инфекцията е обезвредена. Все пак искам да направим и една проверка с TDSSKiller за всеки случай. (just in case) ако чете някой колега от чуждестранните форуми...

• Изтеглете TDSSKiller и го разархивирайте на десктопa.

• Стартирайте TDSSKiller.exe, след това натиснете бутона Start Scan.

  

• Ако бъде открит зловреден (malicious) файл, проверете дали е избрана опцията Cure (по подразбиране). Ако е избрана Cure - натиснете Continue

  

• Ако бъде открит подозрителен (suspicious) файл, проверете дали е избрана опцията Skip (по подразбиране). Ако е избрана Skip - натиснете Continue.

• Изберете skip и за sptd услугата:

  

• Възможно е програмата да изиска рестарт. Ако е така - потвърдете с Reboot Now.

  

  -Ако няма рестартиране, отидете на Report. Ще се появи лог файл. Копирайте и поставете съдържанието му в следващия си коментар.

  -Ако има рестартиране, отидете на в основаната директория на дял C:\. Там трябва да има файл с формат: TDSSKiller.[Version]_[Date]_[Time]_log.txt. Отворете го, копирайте и поставете съдържанието му в следващия си коментар.

А лог файла от Gmer ?

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-06 19:00:50

Windows 5.1.2600 Service Pack 2, v.2149 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ExcelStor_Technology_J880 rev.PF2OA21B

Running: Tool.exe; Driver: C:\DOCUME~1\name\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF5BC0CF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF5BC0BAC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF5BC1160]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF5BC108A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF5BC0782]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF5BC0C86]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF5BC06C2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF5BC0726]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF5BC0DA6]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF5BC122E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF5BC0D66]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF5BC0EE6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF5BCDBAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF5BCD9D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF5BCDB0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_allmul + 98 804E3218 4 Bytes [F0, 0C, BC, F5]

.text ntoskrnl.exe!_allmul + D8 804E3258 4 Bytes [AC, 0B, BC, F5]

.text ntoskrnl.exe!_allmul + 130 804E32B0 4 Bytes [60, 11, BC, F5]

.text ntoskrnl.exe!_allmul + 138 804E32B8 4 Bytes [8A, 10, BC, F5]

.text ntoskrnl.exe!_allmul + 144 804E32C4 4 Bytes [82, 07, BC, F5] {ADD BYTE [EDI], -0x44; CMC }

.text ...

PAGE ntoskrnl.exe!ObInsertObject 805645B4 5 Bytes JMP F5BCAFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!NtCreateSection 8057A251 7 Bytes JMP F5BCD9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!ZwCreateProcessEx 8058937E 7 Bytes JMP F5BCDBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!ZwLoadDriver 805A5258 7 Bytes JMP F5BCDB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!ObMakeTemporaryObject 805DFE83 5 Bytes JMP F5BC95D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

? qbrlwl.sys The system cannot find the file specified. !

.rsrc C:\WINDOWS\system32\DRIVERS\update.sys entry point in ".rsrc" section [0xF6EF0848]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1120] kernel32.dll!SetUnhandledExceptionFilter 7C80F1DA 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!LdrLoadDll 7C91FA67 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3692] USER32.dll!TrackPopupMenu 77DB442D 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[568] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00550002

IAT C:\WINDOWS\system32\services.exe[568] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00550000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a371

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a371 (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61

Disk \Device\Harddisk0\DR0 PE file @ sector 160810650

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\update.sys suspicious modification

---- EOF - GMER 1.0.15 ----

TDSSKiller

2011/06/06 19:48:00.0937 2468 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24

2011/06/06 19:48:02.0937 2468 ================================================================================

2011/06/06 19:48:02.0937 2468 SystemInfo:

2011/06/06 19:48:02.0937 2468

2011/06/06 19:48:02.0937 2468 OS Version: 5.1.2600 ServicePack: 2.0

2011/06/06 19:48:02.0937 2468 Product type: Workstation

2011/06/06 19:48:02.0937 2468 ComputerName: PC

2011/06/06 19:48:02.0937 2468 UserName: name

2011/06/06 19:48:02.0937 2468 Windows directory: C:\WINDOWS

2011/06/06 19:48:02.0937 2468 System windows directory: C:\WINDOWS

2011/06/06 19:48:02.0937 2468 Processor architecture: Intel x86

2011/06/06 19:48:02.0937 2468 Number of processors: 1

2011/06/06 19:48:02.0937 2468 Page size: 0x1000

2011/06/06 19:48:02.0937 2468 Boot type: Normal boot

2011/06/06 19:48:02.0937 2468 ================================================================================

2011/06/06 19:48:04.0078 2468 Initialize success

2011/06/06 19:48:07.0687 2692 ================================================================================

2011/06/06 19:48:07.0687 2692 Scan started

2011/06/06 19:48:07.0687 2692 Mode: Manual;

2011/06/06 19:48:07.0687 2692 ================================================================================

2011/06/06 19:48:08.0484 2692 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/06/06 19:48:08.0625 2692 ACPI (6f79047b884bdebd709070dc7eaf77b2) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/06 19:48:08.0718 2692 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/06 19:48:08.0828 2692 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/06/06 19:48:09.0109 2692 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/06/06 19:48:09.0203 2692 AFD (aa30115cb6c355a658e87d8c2e701e92) C:\WINDOWS\System32\drivers\afd.sys

2011/06/06 19:48:09.0296 2692 agp440 (979b6684a24200c1dc60251ba3d63274) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/06/06 19:48:09.0578 2692 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/06/06 19:48:09.0625 2692 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/06/06 19:48:09.0703 2692 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/06/06 19:48:09.0750 2692 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2011/06/06 19:48:09.0796 2692 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/06/06 19:48:09.0875 2692 AsyncMac (09097179bf93e879173bf32b88d11efe) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/06 19:48:09.0921 2692 atapi (bb0174d76569e10f9daf8b11a689edb3) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/06 19:48:10.0015 2692 Atmarpc (7dfcf78a06858400513c5b9765edeac5) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/06 19:48:10.0078 2692 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/06 19:48:10.0171 2692 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/06 19:48:10.0265 2692 BthEnum (c5582962047e4f8cb90c364279730ede) C:\WINDOWS\system32\DRIVERS\BthEnum.sys

2011/06/06 19:48:10.0375 2692 BTHMODEM (a72331bc59e6f3ea81c773ccb813dce1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys

2011/06/06 19:48:10.0468 2692 BthPan (59bbb389a078cd8bf3da4c5ccfaaebe6) C:\WINDOWS\system32\DRIVERS\bthpan.sys

2011/06/06 19:48:10.0578 2692 BTHPORT (e69948fdc3abdfb130bf8a72cf275d52) C:\WINDOWS\system32\Drivers\BTHport.sys

2011/06/06 19:48:10.0656 2692 BTHUSB (60b0cc3f30ed7007b10084b4211bc91c) C:\WINDOWS\system32\Drivers\BTHUSB.sys

2011/06/06 19:48:10.0718 2692 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/06 19:48:10.0796 2692 CCDECODE (00cadbe6aa32d5a1aab46796b1bae0e3) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/06/06 19:48:11.0000 2692 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/06 19:48:11.0062 2692 Cdfs (5f108e6ece7b40ba726fb5a6325d8401) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/06 19:48:11.0140 2692 Cdrom (946db32118107dcbba7a58cb4aa461c7) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/06 19:48:11.0390 2692 Disk (58a00948e04e98714bebea542c52662e) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/06 19:48:11.0515 2692 dmboot (428106b55b4890ce759435614af14623) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/06 19:48:11.0609 2692 dmio (4d1232b729f0d2c5e3adffce48b2c7dc) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/06 19:48:11.0671 2692 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/06 19:48:11.0765 2692 DMusic (ddb307b05ef879a09a7f7b4dcd1689b0) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/06 19:48:11.0890 2692 drmkaud (d447f86b2bbca1a240d723048d37a562) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/06 19:48:12.0000 2692 Fastfat (2a25a62ea0ab22c3e800c3f58ae3d568) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/06 19:48:12.0093 2692 Fdc (c161114b5705bdeef439c1bd57baface) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/06/06 19:48:12.0171 2692 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/06 19:48:12.0250 2692 Flpydisk (7fa42f3662f1948434202f7165115666) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/06/06 19:48:12.0281 2692 FltMgr (c5163b8025d15762084f0951a8703030) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/06/06 19:48:12.0375 2692 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/06 19:48:12.0453 2692 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/06 19:48:12.0546 2692 Gpc (0272373d0c79638d0662969af8e993b8) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/06 19:48:12.0640 2692 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/06 19:48:12.0750 2692 HTTP (b4d22c830f3f556d8d8ba5734b3c7ccc) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/06 19:48:12.0906 2692 i8042prt (cbf7814d82f5c29c318cf5c5af0317bb) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/06/06 19:48:12.0968 2692 Imapi (a6f2db3144549cf44c7512fef197ba19) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/06 19:48:13.0062 2692 IntelIde (738811b9bf542e656496cc876b547d58) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/06/06 19:48:13.0109 2692 intelppm (b137ecc95ba6985e4623ab75c788aa10) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/06 19:48:13.0156 2692 Ip6Fw (f08bac0655f8a8bc5cf6cdde1d49ea53) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/06/06 19:48:13.0203 2692 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/06 19:48:13.0281 2692 IpInIp (57cfbc2183b47cdb1053bad581592903) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/06 19:48:13.0312 2692 IpNat (5a8dfbe386f695351aaac98d4cb4f571) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/06 19:48:13.0375 2692 IPSec (27560ddb341013b8dbdaa76ae4dee311) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/06 19:48:13.0421 2692 IRENUM (b04bf03578a11d93513b449fc4ff0061) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/06 19:48:13.0484 2692 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/06 19:48:13.0546 2692 Kbdclass (9ed28d0ee6620ab888ef4418e523dd8e) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/06 19:48:13.0625 2692 kbdhid (b502351faf3f86a9ac8cea6c63f16bbe) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/06/06 19:48:13.0703 2692 kmixer (34edb18605f7d54d203887ab8dba788a) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/06 19:48:13.0796 2692 KSecDD (b570867f3ebbde83ff358227213c371d) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/06 19:48:13.0953 2692 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys

2011/06/06 19:48:14.0046 2692 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2011/06/06 19:48:14.0140 2692 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/06/06 19:48:14.0218 2692 Modem (88eb81b076f4953e58cac14893413a66) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/06 19:48:14.0296 2692 Mouclass (eaaaf3c384514e404c712da9891c4025) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/06 19:48:14.0390 2692 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/06/06 19:48:14.0468 2692 MountMgr (ab63daf5d1f4e0ed454f54d84317d4c6) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/06 19:48:14.0593 2692 MRxDAV (54f37982e066bedc6e954a4f474f94f0) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/06 19:48:14.0671 2692 MRxSmb (b22e97abf28b010800909aee59401d01) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/06 19:48:14.0765 2692 Msfs (31f85251d99f775806574e5a61fa1964) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/06 19:48:14.0859 2692 MSKSSRV (f5837426fe992303a3f483ce606683b6) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/06 19:48:14.0937 2692 MSPCLOCK (583a828c439bf8872a98f2c026d9e8fd) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/06 19:48:14.0968 2692 MSPQM (f95342f0f6286c3a06cdfcbd997910b6) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/06 19:48:15.0031 2692 mssmbios (2d39a5a03c6c335a11e0dffebc30e152) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/06 19:48:15.0078 2692 MSTEE (313e0584f24b07609eccfbdf5a420c2b) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/06/06 19:48:15.0140 2692 Mup (0b345428877ef38ef65f2158543cdfd7) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/06 19:48:15.0218 2692 NABTSFEC (9d878942ff952d8cfbb378e4a1bdc08f) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/06/06 19:48:15.0296 2692 NDIS (ed66e03c42a55050f368d6bdd844f11b) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/06 19:48:15.0375 2692 NdisIP (78a1fcbf3eb7ae6705d4a36f544c6c7f) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/06/06 19:48:15.0437 2692 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/06 19:48:15.0484 2692 Ndisuio (cfa380942f768513aef68f2f9fe7def4) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/06 19:48:15.0562 2692 NdisWan (0dfe3e79d93e9fc4fd56b157b6f83dc6) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/06 19:48:15.0640 2692 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/06 19:48:15.0687 2692 NetBIOS (7595da764fc5ebac357488ac4654338e) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/06 19:48:15.0750 2692 NetBT (831369eb43e7b5b6d2dd42116a51e84f) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/06 19:48:15.0875 2692 Npfs (fbc0c781d9d2e9c1a73cfd2bb3956b07) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/06 19:48:16.0015 2692 Ntfs (b90b8a40d3453b4b818d999f043bf06c) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/06 19:48:16.0109 2692 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/06 19:48:16.0250 2692 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/06/06 19:48:16.0375 2692 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/06 19:48:16.0453 2692 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/06 19:48:16.0546 2692 Parport (ca7207c1c198079d68c6054d5342c303) C:\WINDOWS\system32\drivers\Parport.sys

2011/06/06 19:48:16.0625 2692 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/06 19:48:16.0750 2692 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/06 19:48:16.0859 2692 PCI (5d499160d82c3f4ef93a0f891ae5ae18) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/06 19:48:16.0968 2692 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/06/06 19:48:17.0046 2692 Pcmcia (b41cbea0a176ce492b857c4831760c30) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/06/06 19:48:17.0312 2692 PptpMiniport (66687c79495e2ec88d04cc8f1c18ca06) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/06 19:48:17.0390 2692 PSched (0f6548e9cfe94cf446654f8effa966bb) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/06 19:48:17.0437 2692 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/06 19:48:17.0515 2692 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/06/06 19:48:17.0718 2692 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/06 19:48:17.0812 2692 Rasl2tp (8d5161e7c22859a650db1c993f29fab0) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/06 19:48:17.0906 2692 RasPppoe (863b10aca8af2398384b710185630c82) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/06 19:48:17.0953 2692 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/06 19:48:18.0015 2692 Rdbss (ca53b8c7b42241aed1caa76e138a8c20) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/06 19:48:18.0093 2692 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/06 19:48:18.0187 2692 rdpdr (f31351f4f6c3cf748fd83ec9b7559051) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/06/06 19:48:18.0296 2692 RDPWD (5999cb7498b342b805ed66cc8dc0711f) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/06 19:48:18.0375 2692 redbook (b766c6f6f8b6b157de4a934bef649ec6) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/06/06 19:48:18.0484 2692 RFCOMM (bef3ef60ee9e30a80ab3f7f7f5b0a1ba) C:\WINDOWS\system32\DRIVERS\rfcomm.sys

2011/06/06 19:48:18.0593 2692 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/06/06 19:48:18.0687 2692 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/06 19:48:18.0796 2692 serenum (c07f7fc0c01e9acfa3c204496bedcafe) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/06/06 19:48:18.0890 2692 Serial (e74d1a19bff09674a97ebd2ebde3b210) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/06/06 19:48:18.0984 2692 Sfloppy (f8b4ac7aa063369131e91277c2409a91) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/06/06 19:48:19.0109 2692 SLIP (1db98746ddf9bac5389c942cd6219b84) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/06/06 19:48:19.0171 2692 smwdm (bf208c85119770e6a9b6577019a3d810) C:\WINDOWS\system32\drivers\smwdm.sys

2011/06/06 19:48:19.0281 2692 splitter (8fad9d66061fd481539effb69461425c) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/06 19:48:19.0359 2692 sr (6b311e11eb05755f87e221d679666adc) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/06/06 19:48:19.0453 2692 Srv (596e31447c3e356efee1cb6efaf2008d) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/06 19:48:19.0531 2692 streamip (454ec504d7c4f5e8c7141a63417427cc) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/06/06 19:48:19.0609 2692 swenum (7fa47b5ded4f0753c8b9568f340b40f3) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/06 19:48:19.0687 2692 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/06 19:48:20.0000 2692 sysaudio (b1ad2f457275095266d9dcea3c791ec7) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/06 19:48:20.0109 2692 Tcpip (7cf2d4019e17a97c466fa5f68ce0f635) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/06 19:48:20.0187 2692 TDPIPE (2552be52c63d8ccab874b0fa8d99ac09) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/06 19:48:20.0281 2692 TDTCP (70cea12fc5921c2b85bf64c31a78076a) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/06 19:48:20.0359 2692 TermDD (32b6260a2956ea14bab8371550c9c81c) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/06 19:48:20.0484 2692 Udfs (4ad999ac79110f12a945d1b2926b82f9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/06 19:48:20.0640 2692 Update (f5943a5edb2d5d99a0b175e7b64df8bc) C:\WINDOWS\system32\DRIVERS\update.sys

2011/06/06 19:48:20.0734 2692 usbccgp (0b23a9a58fb54015398bf1dad591854e) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/06 19:48:20.0781 2692 usbehci (a789a7f4b0c4a8390a975e3e6d69ec17) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/06 19:48:20.0828 2692 usbhub (2d9cc47e8b5df2771a734f92312dcdd1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/06 19:48:20.0906 2692 USBSTOR (a2f62e27f691649cf9e6e8edb7027602) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/06 19:48:20.0984 2692 usbuhci (1d4dd03f59d95decf516bbb19b0e665e) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/06/06 19:48:21.0078 2692 VgaSave (33824497bd141f765c8bac422f81fa7a) C:\WINDOWS\System32\drivers\vga.sys

2011/06/06 19:48:21.0171 2692 VolSnap (78f72595ecaf89686406fbd99ec66798) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/06 19:48:21.0250 2692 Wanarp (7c430cb3b95e63bc44e0b4ad912b95fe) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/06 19:48:21.0343 2692 wdmaud (e574d351bf3c17c956c10aaef6f7c380) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/06 19:48:21.0500 2692 WSTCODEC (c5c4b780a41393c5f89e5be44d521af5) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/06/06 19:48:21.0609 2692 ZSMC301b (617c6711ea9049f39043cab2886418bf) C:\WINDOWS\system32\Drivers\usbVM31b.sys

2011/06/06 19:48:21.0687 2692 {95808DC4-FA4A-4c74-92FE-5B863F82066B} (8098180b3f6c430a4e60333bc036f936) C:\Program Files\CyberLink\PowerDVD\000.fcl

2011/06/06 19:48:21.0718 2692 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/06/06 19:48:21.0828 2692 ================================================================================

2011/06/06 19:48:21.0828 2692 Scan finished

2011/06/06 19:48:21.0828 2692 ================================================================================

2011/06/06 19:48:21.0843 2560 Detected object count: 0

2011/06/06 19:48:21.0843 2560 Actual detected object count: 0

Така...лог файла от GMER допълни картинката...в момента си имате и рууткит TDL3 поразил файла:

.rsrc C:\WINDOWS\system32\DRIVERS\update.sys entry point in ".rsrc" section [0xF6EF0848]
File C:\WINDOWS\system32\DRIVERS\update.sys suspicious modification

Не трябва да го трием, но трябва да намерим чисто копие и да го заместим. Странно...явно са обновили версията на TDL3, защото напоследък TDSSKiller-a не се справя и това му е втори провал в този раздел в рамките на една седмица.

Битката продължава:

СТЪПКА 1

1. Изтеглете ComboFix от BleepingComputer

и го запазете (бутон Save -> Save as) ComboFix на вашия десктоп:

След приключване на изтеглянето на ComboFix, иконката на програмата би трябвало да изглежда така:

2. Затворете всички работещи приложения, отворени прозорци и програми работещи във фонов режим. Спрете временно защитата в реално време на антивирусната програма и на другите програми за сигурност, ако има такива. За целта може да прегледате информацията от този линк: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs.

3. Стартирайте с двоен клик Combofix.exe. Изберете YES, за да се съгласите с условията за използване на програмата. Важно: По време на работата на ComboFix не бива да се движи мишката и да се натискат клавиши от клавиатурата. Просто търпеливо оставете ComboFix да си свърши работата, без да използвате компютъра за други цели.

4. ComboFix ще провери дали Windows Recovery Console e инсталиранa.

*Ако Windows Recovery Console е инсталирана, ComboFix ще продължи работата си.

*Ако Windows Recovery Console не е инсталирана, ще е необходимо да използвате YES за инсталация на Windows Recovery Console

Забележка: Необходимо е да сте свързани към Интернет за да може Windows Recovery Console да се изтегли.

След инсталация на Windows Recovery Console потвърдете с YES, за да продължите напред. Снимка:

5. ComboFix ще спре временно Интернет връзката, но след като приключи работата на програмата тази връзка ще бъде възстановена автоматично. ComboFix ще сканира за проблеми и за заразени файлове, като това може да отнеме известно време. Моля да бъдете търпеливи. Ако има проблем с Интернет връзката след приключване на работата на Combofix, моля да прочетете това: Manually restoring the Internet connection section.

Забележка: При проблеми с ComboFix копирайте с (Copy) и поставете с (Paste) съдържанието на C:\BUG.txt в следващия си коментар.

6. Когато работата на ComboFix приключи, ще се появи текстов документ (log) в Notepad:

Копирайте с (Copy) и поставете с (Paste) съдържанието на лога в следващия си коментар.

СТЪПКА 2

• Стартирайте файла с двукратен клик на мишката.
• Под с Copy/ Paste въведете следната текстова информация:

/md5start
update.sys
/md5stop

• Натиснете маркираният в синьо бутон: .
• Като приключи проверката, ще се създадe файл - OTL.Txt
• Публикувайте съдържанието на лог файла в следващия си коментар.

Поздрави !

Combofix:

ComboFix 11-06-06.01 - name 06.2011 г. 20:25:28.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.767.371 [GMT 3:00]

Running from: c:\documents and settings\name\My Documents\Downloads\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\name\Recent\cb.dll

c:\documents and settings\name\Recent\cid.exe

c:\documents and settings\name\Recent\cid.sys

c:\documents and settings\name\Recent\exec.drv

c:\documents and settings\name\Recent\exec.exe

c:\documents and settings\name\Recent\ppal.drv

c:\documents and settings\name\Recent\runddlkey.exe

c:\documents and settings\name\Recent\tempdoc.sys

.

.

((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))

.

.

2011-06-06 08:54 . 2011-06-06 08:54 -------- d-----w- C:\_OTL

2011-06-06 06:55 . 2011-06-06 06:55 -------- d-sh--w- c:\documents and settings\All Users\Application Data\PSQKGJOG

2011-05-28 14:09 . 2011-05-28 14:09 -------- d-----w- c:\documents and settings\name\Application Data\go

2011-05-28 14:09 . 2011-06-06 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Easybits GO

2011-05-20 08:21 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-05-20 08:21 . 2011-03-21 13:56 143872 ----a-w- c:\windows\system32\xvid.ax

2011-05-20 08:21 . 2011-05-20 08:21 -------- d-----w- c:\program files\Xvid

2011-05-18 07:15 . 2011-06-03 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-05-18 07:13 . 2011-05-18 07:13 -------- d-----w- c:\program files\Common Files\Skype

2011-05-16 14:06 . 2011-05-16 14:06 1090952 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 06:11 . 2010-09-01 12:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 06:11 . 2010-09-01 12:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-19 15:04 . 2010-09-01 12:22 650752 ----a-w- c:\windows\system32\xvidcore.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-04-13 . 7CF2D4019E17A97C466FA5F68CE0F635 . 359424 . . [5.1.2600.2149] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2010-04-13 . 421012E72751DC8E1E70FC2B8BC46305 . 1288192 . . [5.1.2600.2149] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2001-12-31 399736]

"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]

"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-06-10 110592]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2011-1-1 151552]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"UseDesktopIniCache"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 14:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-06-10 14:15 14336 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2007-02-07 13:21 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-16 19:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 12:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-01 12:24 98304 ----a-w- c:\windows\system32\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2007-02-07 13:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-05-26 18:50 15147400 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2001-12-31 07:12 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [01.9.2010 і. 14:42 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01.9.2010 і. 14:42 17744]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01.9.2010 і. 15:00 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [01.9.2010 і. 15:00 22712]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [01.9.2010 і. 15:00 39984]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 61672260

*NewlyCreated* - ASWMBR

*NewlyCreated* - PXTDAPOW

*Deregistered* - 61672260

*Deregistered* - aswMBR

*Deregistered* - pxtdapow

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://izarc.org/donate.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\name\Application Data\Mozilla\Firefox\Profiles\s7l8pd6b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: PandoraTV Toolbar: [email protected] - %profile%\extensions\[email protected]

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-06 20:30

Windows 5.1.2600 Service Pack 2, v.2149 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2011-06-06 20:33:06

ComboFix-quarantined-files.txt 2011-06-06 17:32

.

Pre-Run: 14 390 820 864 bytes free

Post-Run: 15 187 296 256 bytes free

.

- - End Of File - - 3D0B6547E806C1313CE47A8FC99D7535

OTL:

OTL logfile created on: 06.6.2011 г. 20:46:26 - Run 2

OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\name\Desktop

Windows XP Professional Edition Service Pack 2, v.2149 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2149)

Locale: 00000402 | Country: Bulgaria | Language: BGR | Date Format: dd.M.yyyy 'г.'

767,23 Mb Total Physical Memory | 248,48 Mb Available Physical Memory | 32,39% Memory free

1,83 Gb Paging File | 1,48 Gb Available in Paging File | 80,58% Paging File free

Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 20,51 Gb Total Space | 14,17 Gb Free Space | 69,10% Space Free | Partition Type: NTFS

Drive D: | 27,98 Gb Total Space | 12,35 Gb Free Space | 44,14% Space Free | Partition Type: NTFS

Drive E: | 28,20 Gb Total Space | 26,27 Gb Free Space | 93,15% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: name | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.06.06 11:11:13 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\name\Desktop\OTL.exe

PRC - [2011.05.29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2011.04.30 08:29:14 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010.09.07 19:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe

PRC - [2010.09.07 19:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

PRC - [2006.11.16 19:04:20 | 000,139,264 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

PRC - [2006.11.16 18:58:32 | 000,884,736 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

PRC - [2004.06.10 17:15:42 | 001,030,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2003.05.05 08:57:30 | 000,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

PRC - [2003.01.21 15:19:24 | 000,040,960 | ---- | M] (VM.) -- C:\WINDOWS\Vm_sti.exe

PRC - [2002.09.20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2011.06.06 11:11:13 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\name\Desktop\OTL.exe

MOD - [2004.06.10 17:15:50 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2149_x-ww_a84b1f06\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2011.05.29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010.09.07 19:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)

SRV - [2010.09.07 19:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)

SRV - [2010.09.07 19:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV - [2002.09.20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2011.05.29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2011.05.29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010.09.07 18:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2010.09.07 18:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2010.09.07 18:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2010.09.07 18:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2010.09.07 18:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2010.09.07 18:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2006.11.02 16:51:58 | 000,013,560 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B})

DRV - [2004.08.05 18:05:02 | 000,090,532 | ---- | M] (VM) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbVM31b.sys -- (ZSMC301b)

DRV - [2004.06.10 18:49:12 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.aol.com/?src=aim&ncid=snsusaimc00000001"

FF - prefs.js..extensions.enabledItems: [email protected]:3.12.2.16749

FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.3.0.7550

FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.04.30 12:21:01 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.05.20 11:35:10 | 000,000,000 | ---D | M]

[2010.09.01 15:05:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\name\Application Data\Mozilla\Extensions

[2011.06.06 08:09:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\name\Application Data\Mozilla\Firefox\Profiles\s7l8pd6b.default\extensions

[2011.05.26 13:01:23 | 000,000,000 | ---D | M] (PandoraTV Toolbar) -- C:\Documents and Settings\name\Application Data\Mozilla\Firefox\Profiles\s7l8pd6b.default\extensions\[email protected]

[2010.09.28 14:25:12 | 000,001,490 | ---- | M] () -- C:\Documents and Settings\name\Application Data\Mozilla\Firefox\Profiles\s7l8pd6b.default\searchplugins\AOL Search.xml

[2011.06.06 08:09:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011.06.05 06:44:56 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

[2010.01.14 01:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

[2010.09.28 14:25:12 | 000,001,490 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\AOL Search.xml

O1 HOSTS File: ([2011.06.06 20:30:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)

O4 - HKLM..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE (VM.)

O4 - HKLM..\Run: [bluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)

O4 - HKCU..\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: UseDesktopIniCache = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\WINDOWS\Coffee Bean.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Coffee Bean.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010.09.01 14:26:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.06.06 20:33:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2011.06.06 20:24:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2011.06.06 20:23:07 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2011.06.06 20:20:42 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2011.06.06 20:20:42 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2011.06.06 20:20:42 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2011.06.06 20:20:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2011.06.06 20:20:00 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011.06.06 19:47:46 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\name\Desktop\TDSSKiller.exe

[2011.06.06 11:54:47 | 000,000,000 | ---D | C] -- C:\_OTL

[2011.06.06 11:52:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\name\Desktop\New Folder

[2011.06.06 11:11:08 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\name\Desktop\OTL.exe

[2011.06.06 10:51:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\name\My Documents\My Videos

[2011.06.06 09:55:55 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\PSQKGJOG

[2011.06.05 06:44:56 | 000,000,000 | ---D | C] -- C:\Config.Msi

[2011.06.04 13:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\name\Desktop\Arthur.3.The.War.of.the.Two.Worlds.2010.DVDRip.XviD-CM8

[2011.05.28 17:09:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\name\Application Data\go

[2011.05.28 17:09:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Easybits GO

[2011.05.20 11:21:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Xvid

[2011.05.20 11:21:25 | 000,000,000 | ---D | C] -- C:\Program Files\Xvid

[2011.05.18 10:15:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype Extras

[2011.05.18 10:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype

[2011.05.18 10:13:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.06.06 20:30:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2011.06.06 20:23:10 | 000,000,310 | RHS- | M] () -- C:\boot.ini

[2011.06.06 19:03:59 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\name\Desktop\MBR.dat

[2011.06.06 18:03:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011.06.06 18:03:28 | 804,573,184 | -HS- | M] () -- C:\hiberfil.sys

[2011.06.06 17:41:30 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

[2011.06.06 11:53:28 | 000,000,130 | ---- | M] () -- C:\Documents and Settings\name\Desktop\fix.bat

[2011.06.06 11:11:13 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\name\Desktop\OTL.exe

[2011.06.06 07:49:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011.06.04 14:08:16 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2011.06.04 14:04:55 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\name\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011.06.03 23:22:36 | 000,489,655 | ---- | M] () -- C:\Documents and Settings\name\My Documents\IMG_03062011_232224.png

[2011.06.03 19:16:20 | 000,068,966 | ---- | M] () -- C:\Documents and Settings\name\My Documents\71734_163586767000698_100000481273510_520013_2718188_n.jpg

[2011.06.01 10:44:50 | 000,491,479 | ---- | M] () -- C:\Documents and Settings\name\My Documents\2011-06-01_104400.png

[2011.05.29 12:32:00 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\name\Desktop\Tool.exe

[2011.05.29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2011.05.29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2011.05.28 15:04:06 | 000,392,296 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011.05.28 15:04:06 | 000,058,596 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011.05.25 10:21:51 | 000,185,949 | ---- | M] () -- C:\Documents and Settings\name\My Documents\MotorqgA(1078).jpg

[2011.05.25 07:10:16 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\name\Desktop\TDSSKiller.exe

[2011.05.17 18:43:22 | 000,066,422 | ---- | M] () -- C:\Documents and Settings\name\My Documents\45007_1177125484374_1715247879_319626_780481_n.jpg

[2011.05.17 18:22:48 | 000,021,781 | ---- | M] () -- C:\Documents and Settings\name\My Documents\hot-emo-girls-with-blonde-cute-hair.jpg

[2011.05.15 21:36:43 | 000,014,958 | ---- | M] () -- C:\Documents and Settings\name\My Documents\Ico10.jpg

[2011.05.10 19:47:05 | 000,438,250 | ---- | M] () -- C:\Documents and Settings\name\My Documents\Обичам-Карu.gif

[2011.05.07 21:50:18 | 000,046,311 | ---- | M] () -- C:\Documents and Settings\name\My Documents\;pp.jpg

[2011.05.07 21:50:16 | 000,062,584 | ---- | M] () -- C:\Documents and Settings\name\My Documents\Хаха.jpg

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.06.06 20:23:10 | 000,000,194 | ---- | C] () -- C:\Boot.bak

[2011.06.06 20:23:08 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2011.06.06 20:20:42 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2011.06.06 20:20:42 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2011.06.06 20:20:42 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2011.06.06 20:20:42 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2011.06.06 20:20:42 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2011.06.06 19:03:59 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\name\Desktop\MBR.dat

[2011.06.06 18:33:07 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\name\Desktop\Tool.exe

[2011.06.06 11:53:28 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\name\Desktop\fix.bat

[2011.06.03 23:22:34 | 000,489,655 | ---- | C] () -- C:\Documents and Settings\name\My Documents\IMG_03062011_232224.png

[2011.06.03 19:16:17 | 000,068,966 | ---- | C] () -- C:\Documents and Settings\name\My Documents\71734_163586767000698_100000481273510_520013_2718188_n.jpg

[2011.06.01 10:44:42 | 000,491,479 | ---- | C] () -- C:\Documents and Settings\name\My Documents\2011-06-01_104400.png

[2011.05.28 17:09:32 | 000,001,829 | ---- | C] () -- C:\Documents and Settings\name\Start Menu\Programs\Играене на игри (EasyBits GO).lnk

[2011.05.25 10:21:48 | 000,185,949 | ---- | C] () -- C:\Documents and Settings\name\My Documents\MotorqgA(1078).jpg

[2011.05.20 11:21:29 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2011.05.20 11:21:28 | 000,143,872 | ---- | C] () -- C:\WINDOWS\System32\xvid.ax

[2011.05.18 10:13:09 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

[2011.05.17 18:43:21 | 000,066,422 | ---- | C] () -- C:\Documents and Settings\name\My Documents\45007_1177125484374_1715247879_319626_780481_n.jpg

[2011.05.17 18:22:47 | 000,021,781 | ---- | C] () -- C:\Documents and Settings\name\My Documents\hot-emo-girls-with-blonde-cute-hair.jpg

[2011.05.15 21:36:42 | 000,014,958 | ---- | C] () -- C:\Documents and Settings\name\My Documents\Ico10.jpg

[2011.05.10 19:44:45 | 000,438,250 | ---- | C] () -- C:\Documents and Settings\name\My Documents\Обичам-Карu.gif

[2011.05.07 21:50:17 | 000,046,311 | ---- | C] () -- C:\Documents and Settings\name\My Documents\;pp.jpg

[2011.05.07 21:50:14 | 000,062,584 | ---- | C] () -- C:\Documents and Settings\name\My Documents\Хаха.jpg

[2011.01.01 20:37:45 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\newdll.dll

[2010.10.09 10:35:46 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2010.10.09 10:35:36 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\name\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010.09.01 17:38:13 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010.09.01 17:17:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010.09.01 17:14:44 | 000,197,752 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010.09.01 15:29:47 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2010.09.01 15:23:07 | 000,000,761 | ---- | C] () -- C:\WINDOWS\m3jp2k.ini

[2010.09.01 15:23:07 | 000,000,714 | ---- | C] () -- C:\WINDOWS\m3jpeg.ini

[2010.09.01 15:23:07 | 000,000,702 | ---- | C] () -- C:\WINDOWS\mmtvmj.ini

[2010.09.01 15:23:02 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll

[2010.09.01 15:23:00 | 000,152,064 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2010.09.01 15:22:58 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2010.09.01 15:10:44 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll

[2010.09.01 15:05:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010.09.01 14:29:35 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010.09.01 14:22:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004.06.10 17:25:44 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2004.06.10 17:15:34 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll

[2004.06.01 14:40:12 | 000,006,848 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004.05.23 15:57:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

[2003.01.07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2002.10.16 09:29:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\amcap.exe

[2001.08.23 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2001.08.23 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2001.08.23 14:00:00 | 000,392,296 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2001.08.23 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2001.08.23 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2001.08.23 14:00:00 | 000,058,596 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2001.08.23 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2001.08.23 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2001.08.23 14:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2001.08.23 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Custom Scans ==========

< MD5 for: UPDATE.SYS >

[2004.06.10 15:17:20 | 000,199,040 | ---- | M] (Microsoft Corporation) MD5=F5943A5EDB2D5D99A0B175E7B64DF8BC -- C:\WINDOWS\system32\dllcache\update.sys

[2004.06.10 15:17:20 | 000,199,040 | ---- | M] (Microsoft Corporation) MD5=F5943A5EDB2D5D99A0B175E7B64DF8BC -- C:\WINDOWS\system32\drivers\update.sys

< End of report >

1 wypros imam:kakwo stana sys fonetikata mi (izwinete me za ezika.. ) ?

1 wypros imam:kakwo stana sys fonetikata mi (izwinete me za ezika.. ) ?

Това често се случва след използване на FlexType 2k.

Мисля, че и Combofix не се разбираше много с него.

Деинсталирайте Flextype 2k и след това си инсталирайте свястна фонетика като тази

След това за да я изберете за използване вижте тук.

Така стана ясно, че нямате чисти копия на този файл...затова направете следното:

Изтеглете този файл и го запазете на десктопа.

След това отворете notepad.exe и въведете следната информация:

@echo Unpacking files ...  
@echo (This window will close when it's done)
@echo off
MKdir C:\SP3
windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe -x: C:\SP3 /quiet
cd C:\SP3\i386
expand update.sy_ C:\SP3\update.sys
del %0

Запазете файла с име expand.bat и го стартирайте.

Не сте инсталирали и Recovery Console-aта за Combofix ?

След това изтеглете този файл и го пуснете в Combofix както е показано на картинката.

Публикувайте лог файла който ще се появи в следвашия си коментар.

Добро утро!

Combofix:

ComboFix 11-06-06.03 - name 06.2011 г. 8:37.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.767.323 [GMT 3:00]

Running from: c:\documents and settings\name\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\name\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))

.

.

2011-06-07 05:35 . 2011-06-07 05:35 -------- d-----w- c:\windows\LastGood

2011-06-07 05:25 . 2011-06-07 05:28 -------- d-----w- C:\SP3

2011-06-06 08:54 . 2011-06-06 08:54 -------- d-----w- C:\_OTL

2011-06-06 06:55 . 2011-06-06 06:55 -------- d-sh--w- c:\documents and settings\All Users\Application Data\PSQKGJOG

2011-05-28 14:09 . 2011-05-28 14:09 -------- d-----w- c:\documents and settings\name\Application Data\go

2011-05-28 14:09 . 2011-06-07 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Easybits GO

2011-05-20 08:21 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-05-20 08:21 . 2011-03-21 13:56 143872 ----a-w- c:\windows\system32\xvid.ax

2011-05-20 08:21 . 2011-05-20 08:21 -------- d-----w- c:\program files\Xvid

2011-05-18 07:15 . 2011-06-07 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-05-18 07:13 . 2011-05-18 07:13 -------- d-----w- c:\program files\Common Files\Skype

2011-05-16 14:06 . 2011-05-16 14:06 1090952 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 06:11 . 2010-09-01 12:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 06:11 . 2010-09-01 12:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-19 15:04 . 2010-09-01 12:22 650752 ----a-w- c:\windows\system32\xvidcore.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-04-13 . 7CF2D4019E17A97C466FA5F68CE0F635 . 359424 . . [5.1.2600.2149] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2010-04-13 . 421012E72751DC8E1E70FC2B8BC46305 . 1288192 . . [5.1.2600.2149] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-06-06_17.30.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-06 16:24 . 2009-08-06 16:24 44768 c:\windows\system32\wups2.dll

+ 2010-09-01 11:23 . 2009-08-06 16:24 53472 c:\windows\system32\wuauclt.exe

+ 2011-06-07 05:35 . 2009-08-06 16:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2010-09-01 11:23 . 2009-08-06 16:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2004-06-10 14:15 . 2009-08-06 16:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2004-06-10 14:15 . 2009-08-06 16:24 96480 c:\windows\system32\cdm.dll

+ 2011-06-07 05:35 . 2004-06-10 14:15 36864 c:\windows\LastGood\system32\wups.dll

+ 2011-06-07 05:35 . 2004-06-10 14:15 65536 c:\windows\LastGood\system32\cdm.dll

+ 2007-10-11 16:59 . 2007-10-11 16:59 6144 c:\windows\system32\Huku.dll

+ 2010-09-01 11:23 . 2009-08-06 16:24 209632 c:\windows\system32\wuweb.dll

+ 2010-09-01 11:23 . 2009-08-06 16:24 327896 c:\windows\system32\wucltui.dll

+ 2010-09-01 11:23 . 2009-08-06 16:23 575704 c:\windows\system32\wuapi.dll

+ 2010-09-01 11:23 . 2009-08-06 16:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2010-09-01 11:23 . 2009-08-06 16:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2010-09-01 11:23 . 2009-08-06 16:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2011-06-07 05:35 . 2004-06-10 14:15 119808 c:\windows\LastGood\system32\wuweb.dll

+ 2011-06-07 05:35 . 2004-06-10 14:15 103936 c:\windows\LastGood\system32\wucltui.dll

+ 2011-06-07 05:35 . 2004-06-10 14:15 111104 c:\windows\LastGood\system32\wuauclt.exe

+ 2011-06-07 05:35 . 2004-06-10 14:15 429056 c:\windows\LastGood\system32\wuapi.dll

+ 2011-06-06 18:49 . 2011-06-06 18:49 114688 c:\windows\Installer\ce996a.msi

+ 2010-09-01 11:23 . 2009-08-06 16:23 1929952 c:\windows\system32\wuaueng.dll

+ 2010-09-01 11:23 . 2009-08-06 16:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

+ 2011-06-07 05:35 . 2004-06-10 14:15 1114112 c:\windows\LastGood\system32\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2001-12-31 399736]

"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]

"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-06-10 110592]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"UseDesktopIniCache"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 14:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-06-10 14:15 14336 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2007-02-07 13:21 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-16 19:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 12:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-01 12:24 98304 ----a-w- c:\windows\system32\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2007-02-07 13:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-05-26 18:50 15147400 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2001-12-31 07:12 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [01.9.2010 і. 14:42 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01.9.2010 і. 14:42 17744]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01.9.2010 і. 15:00 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [01.9.2010 і. 15:00 22712]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [01.9.2010 і. 15:00 39984]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://izarc.org/donate.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\name\Application Data\Mozilla\Firefox\Profiles\s7l8pd6b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: PandoraTV Toolbar: [email protected] - %profile%\extensions\[email protected]

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-07 08:43

Windows 5.1.2600 Service Pack 2, v.2149 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(424)

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\system32\msi.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

.

Completion time: 2011-06-07 08:45:05

ComboFix-quarantined-files.txt 2011-06-07 05:45

ComboFix2.txt 2011-06-06 17:33

.

Pre-Run: 14 333 050 880 bytes free

Post-Run: 14 320 177 152 bytes free

.

- - End Of File - - B32A9E5BA2ED6B9F9B83B7547018978C

Интересно, отново не се вижда информация за Boot loader-a.

Моля изтеглете BootCheck.exe и го запазете на вашия десктоп.

• Стартирайте файла BootCheck.exe за да започне проверката.
• Когато завърши ще се появи Notepad със съдържание.
• Запазете файла на десктопа с име BootCheck.txt и копирайте съдържанието му в следващия си коментар.

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Чудесно...

Рестартирайте компютъра и внимателно гледайте и изберете бързо (защото ще имате само около 3 секунди) опцията за използване на Recovery Console

Натиснете "R"

Ще бъдете подканен да изберете коя Windows инсталация ще възстановявате:

Ако имате само една инсталация просто избирате "1"

След това се изисква и администраторската парола.

Ако не сте въвеждали такава просто натиснете "ENTER".

В появилия се command prompt вече можете да напишете всяка валидна команда.

Въведете следната:

ren c:\windows\system32\drivers\update.sys update.old

Натиснете Enter.

След това въведете следната команда:

copy c:\SP3\update.sys c:\windows\system32\drivers

(ако получите съобщението - 1 file(s) copied - значи сте се справили успешно).

След като командите бъдат изпълнени успешно напишете - "Exit" за да рестартирате машината.

Заредете в Normal Mode и след това направете нова проверка с OTL по този начин:

• Стартирайте файла с двукратен клик на мишката.
• Под с Copy/ Paste въведете следната текстова информация:

/md5start
update.sys
/md5stop

• Натиснете маркираният в синьо бутон: .
• Като приключи проверката, ще се създадe файл - OTL.Txt
• Публикувайте съдържанието на лог файла в следващия си коментар.

Поздрави !

При опит за въвеждане на командата:

ren c:\windows\system32\drivers\update.sys update.old

Ми изписва нещо от рода на: Windows cant locate the specific location or directory

При опит за въвеждане на 2-рата команда ми изписва: Access Denied.

При опит за въвеждане на командата:

Ми изписва нещо от рода на: Windows cant locate the specific location or directory

При опит за въвеждане на 2-рата команда ми изписва: Access Denied.

Съжалявам за забавянето, но имах проблеми с нета.

За първата команда сигурен ли сте, че я въвеждате правилно...

ren c:\windows\system32\drivers\update.sys update.old (има празно място - интервал между update.sys и update.old).

Ако не се получи пробвайте по следния начин... въведете командата:

cd c:\windows\system32\drivers

и натиснете [Enter]

След това въведете

ren update.sys update.vir

натиснете [Enter]

След това вече опитайте с тази команда

copy c:\SP3\update.sys c:\windows\system32\drivers\update.sys

натиснете [Enter]

Сега вече въведете EXIT и след това създайте лог от OTL по начина описан в предишния ми пост.

За първата команда сигурен ли сте, че я въвеждате правилно...

ren c:\windows\system32\drivers\update.sys update.old (има празно място - интервал между update.sys и update.old).

Сигурен съм,нестава.

Ако не се получи пробвайте по следния начин... въведете командата:

cd c:\windows\system32\drivers

Въведох командата натиснах Enter и се получи.

След това въведете

ren update.sys update.vir

натиснете [Enter]

При опит за въвеждане на тази команда ми дава отново същата грешка: Windows cant locate the specific location or directory

След това опитох да въведа и последната команда и отново същата грешка..

Ако ви затруднявам,просто оставете ,отдавна знам че хардиска на компютъра не ми върши никаква работа.Мисля че изчистих вирусите и въпросната програма и всичко е ОК.

Редактирано 8 юни 201115 г. от Минков (преглед на промените)

Странно...при мен се получават командите (пробвах на виртуалка под Recovery Console инсталирана от Combofix).

Пробвайте да въведете първо тази команда:

set AllowAllPaths = true

натиснете [Enter]

set AllowWildCards = true

натиснете [Enter]

След това пробвайте да въведете тези описани в предишния ми пост.

Ако не се получи, изтеглете и направете проверка с новата версия на TDSSkiller (която бе обновена преди два дни).

Отново нестана ,ето ви проверката от TDSSkiller:

2011/06/09 11:43:16.0859 4032 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48

2011/06/09 11:43:17.0156 4032 ================================================================================

2011/06/09 11:43:17.0156 4032 SystemInfo:

2011/06/09 11:43:17.0156 4032

2011/06/09 11:43:17.0156 4032 OS Version: 5.1.2600 ServicePack: 2.0

2011/06/09 11:43:17.0156 4032 Product type: Workstation

2011/06/09 11:43:17.0156 4032 ComputerName: PC

2011/06/09 11:43:17.0156 4032 UserName: name

2011/06/09 11:43:17.0156 4032 Windows directory: C:\WINDOWS

2011/06/09 11:43:17.0156 4032 System windows directory: C:\WINDOWS

2011/06/09 11:43:17.0156 4032 Processor architecture: Intel x86

2011/06/09 11:43:17.0156 4032 Number of processors: 1

2011/06/09 11:43:17.0156 4032 Page size: 0x1000

2011/06/09 11:43:17.0156 4032 Boot type: Normal boot

2011/06/09 11:43:17.0156 4032 ================================================================================

2011/06/09 11:43:18.0578 4032 Initialize success

Мисля че излезе нов проблем..Когато изключвам компютъра от Start менюто,чакам по 10 минути докато се отвори прозорчето за 3-те опций,ако може да ми кажете как да го оправя?

Здравейте,

• Изтеглете maxlook.exe и го запазете на вашия десктоп.
• Стартирайте файла само веднъж.
• Рестартирайте компютъра в Recovery Console и въведете командата batch look.bat

  

• Напишете EXIT и рестартирайте в Normal Mode
• Сега отворете Start => Run => и въведете командата => maxlook -sig и натиснете Enter
• Ще се появи текстов файл на десктопа с името looklog.txt
• Копирайте съдържанието му в следващия си пост

Направете и нова проверка с GMER и публикувайте резултатите.

Веднъж да изчистим гадинките и ще борим останалите проблеми.

looklog:

Run from C:\Documents and Settings\name\Desktop\maxlook.exe on 10.06.2011 Ј. at  8:29:23,39

--------- maxlook unsigned files ---------

c:\windows\maxdrive\tcpip.sys:
	Verified:	Unsigned
	File date:	11:19 13.4.2010 ?.
	Publisher:	Microsoft Corporation
	Description:	TCP/IP Protocol Driver
	Product:	Microsoft® Windows® Operating System
	Version:	5.1.2600.2149
	File version:	5.1.2600.2149 (xpsp_sp2_rc2.040610-1520)
c:\windows\maxdrive\usbVM31b.sys:
	Verified:	Unsigned
	File date:	18:05 05.8.2004 ?.
	Publisher:	VM
	Description:	Video streaming and Capture Device Driver
	Product:	n/a
	Version:	n/a
	File version:	4.2.1010.41

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\tcpip.sys:
	Verified:	Unsigned
	File date:	11:19 13.4.2010 ?.
	Publisher:	Microsoft Corporation
	Description:	TCP/IP Protocol Driver
	Product:	Microsoft® Windows® Operating System
	Version:	5.1.2600.2149
	File version:	5.1.2600.2149 (xpsp_sp2_rc2.040610-1520)
c:\windows\system32\drivers\usbVM31b.sys:
	Verified:	Unsigned
	File date:	18:05 05.8.2004 ?.
	Publisher:	VM
	Description:	Video streaming and Capture Device Driver
	Product:	n/a
	Version:	n/a
	File version:	4.2.1010.41

Gmer:

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-10 09:06:45

Windows 5.1.2600 Service Pack 2, v.2149 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ExcelStor_Technology_J880 rev.PF2OA21B

Running: tool.exe; Driver: C:\DOCUME~1\name\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF5C07CF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF5C07BAC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF5C08160]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF5C0808A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF5C07782]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF5C07C86]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF5C076C2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF5C07726]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF5C07DA6]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF5C0822E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF5C07D66]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF5C07EE6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF5C14BAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF5C149D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF5C14B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_allmul + 98 804E3218 4 Bytes [F0, 7C, C0, F5]

.text ntoskrnl.exe!_allmul + D8 804E3258 4 Bytes [AC, 7B, C0, F5] {LODSB ; JNP 0xffffffffffffffc3; CMC }

.text ntoskrnl.exe!_allmul + 130 804E32B0 4 Bytes [60, 81, C0, F5]

.text ntoskrnl.exe!_allmul + 138 804E32B8 4 Bytes [8A, 80, C0, F5]

.text ntoskrnl.exe!_allmul + 144 804E32C4 4 Bytes [82, 77, C0, F5] {XOR BYTE [EDI-0x40], -0xb}

.text ...

PAGE ntoskrnl.exe!ObInsertObject 805645B4 5 Bytes JMP F5C11FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!NtCreateSection 8057A251 7 Bytes JMP F5C149D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!ZwCreateProcessEx 8058937E 3 Bytes JMP F5C14BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!ZwCreateProcessEx + 4 80589382 3 Bytes [75, CC, CC] {JNZ 0xffffffffffffffce; INT 3 }

PAGE ntoskrnl.exe!ZwLoadDriver 805A5258 7 Bytes JMP F5C14B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntoskrnl.exe!ObMakeTemporaryObject 805DFE83 5 Bytes JMP F5C105D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[112] USER32.dll!TrackPopupMenu 77DB442D 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1156] kernel32.dll!SetUnhandledExceptionFilter 7C80F1DA 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\Mozilla Firefox\firefox.exe[3604] ntdll.dll!LdrLoadDll 7C91FA67 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[560] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00550002

IAT C:\WINDOWS\system32\services.exe[560] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00550000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a371

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a371 (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61

Disk \Device\Harddisk0\DR0 PE file @ sector 160810650

---- EOF - GMER 1.0.15 ----