Премини към съдържанието

Препоръчан отговор


Здравейте, Avast засече присъствие на win64 sirefef E и започна да блокира различни процеси, но след рестарт на компютъра престана да функционира. В момента съм във safe mode with networking и съм пуснал eset online scanner. За сега нямам резултат от него. Следвайки инструкцийте във форума поствам логовете от dds.exe: dds.txt Internet Explorer: 9.0.8112.16421 Run by Nikolay.Prokopieff at 10:40:07 on 2012-04-05 Microsoft Windows 7 Ultimate 6.1.7601.1.1251.359.1033.18.5285.3806 [GMT 3:00] . SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Windows\explorer.exe C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe C:\Windows\system32\conhost.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Bar = hxxp://www.google.com/ie uSearch Page = hxxp://www.google.com uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned> BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun uRun: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe -tray uRun: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray uRun: [Google Update] "C:\Users\Nikolay.Prokopieff\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" mRun: [bonus.SSR.FR10] "C:\Program Files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" /autorun mRun: [WTClient] WTClient.exe mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [Xerox PanelMgr] C:\Windows\Xerox\PanelMgr\SSMMgr.exe /autorun mRun: [NSU_agent] "C:\Program Files (x86)\Nokia\Nokia Software Updater\nsu3ui_agent.exe" mRun: [uIExec] "C:\Program Files (x86)\M-Tel NETAGENT\UIExec.exe" mRun: [ModemListener] C:\Program Files (x86)\VIVACOM 3G USB MODEM\ModemListener.exe start mRun: [intelAgent] C:\Windows\Temp\temp68.exe mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui mRunOnce: [GrpConv] grpconv -o StartupFolder: C:\Users\NIKOLA~1.PRO\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\Dropbox.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SMARTS~1.LNK - C:\Program Files (x86)\charismathics\smart security interface 4.7\CSPregtool.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: dontdisplaylastusername = dword:1 mPolicies-System: SynchronousMachineGroupPolicy = dword:0 mPolicies-System: SynchronousUserGroupPolicy = dword:0 mPolicies-Windows\System: AllowBlockingAppsAtShutdown = dword:0 IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . . INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {500A3316-5B0E-4253-BBE5-CE3F11A1AE71} - hxxps://inetdec.nra.bg/dds/InetVAT5Frm.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: NameServer = 192.168.1.1 TCP: Interfaces\{3D1B970A-1BD7-4393-BF01-8DC089DF0AC4} : DHCPNameServer = 192.168.1.1 TCP: Interfaces\{3D1B970A-1BD7-4393-BF01-8DC089DF0AC4}\45572726F6 : DHCPNameServer = 84.43.191.4 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL SSODL: WebCheck - <orphaned> SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe x64-Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe x64-Run: [NVHotkey] rundll32.exe C:\Windows\System32\nvHotkey.dll,Start x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" x64-Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp x64-Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" x64-Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll . INFO: x64-HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Notify: igfxcui - igfxdev.dll x64-SSODL: WebCheck - <orphaned> x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Nikolay.Prokopieff\AppData\Roaming\Mozilla\Firefox\Profiles\hlxth17a.default\ FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll FF - plugin: C:\Users\Nikolay.Prokopieff\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll . ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . ============= SERVICES / DRIVERS =============== . R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2011-11-2 28992] R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-7-9 55280] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-7-4 254528] R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904] R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2011-5-20 29344] R3 MEIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-10-19 56344] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-12-10 80384] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-12-10 181248] R3 PTSimBus;PenTablet Bus Enumerator;C:\Windows\System32\drivers\PTSimBus.sys [2007-6-7 28672] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-7-4 250984] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240] R3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\System32\drivers\teamviewervpn.sys [2011-9-13 35112] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-14 17920] S1 nvkflt;nvkflt;C:\Windows\System32\drivers\nvkflt.sys [2011-11-2 249152] S2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-7-4 89600] S2 AntiVirSchedulerService;Avira Scheduler;"C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" --> C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [?] S2 AntiVirService;Avira Realtime Protection;"C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" --> C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [?] S2 Apache2.2;Apache2.2;C:\Users\Nikolay.Prokopieff\xampp\apache\bin\httpd.exe [2010-10-18 20549] S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;C:\Program Files (x86)\Dell Wireless\Ath_CoexAgent.exe [2012-2-6 135168] S2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe [2011-5-20 80032] S2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-2-2 18656] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-3 897088] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2010-11-3 983104] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate;Услуга на Google Актуализация (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-5 136176] S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-4 13336] S2 KMService;KMService;C:\Windows\System32\srvany.exe --> C:\Windows\System32\srvany.exe [?] S2 mi-raysat_3dsmax2012_64;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 64-bit - English 64-bit;C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe [2011-2-22 86016] S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-4 2253120] S2 ProgDVBService;ProgDVB Scheduler Service;C:\Program Files (x86)\ProgDVB\ProgDvbService.exe [2011-12-2 59840] S2 Sentinel64;Sentinel64;C:\Windows\System32\drivers\sentinel64.sys [2011-11-24 145448] S2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" --> C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [?] S2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.SYS [2011-11-5 11576] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248] S2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe --> C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [?] S2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe --> C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [?] S2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\System32\drivers\TurboB.sys [2010-11-29 16120] S2 UI Assistant Service;UI Assistant Service;C:\Program Files (x86)\M-Tel NETAGENT\AssistantServices.exe [2011-11-9 267088] S2 WorkshopDBService;WorkshopDBService;C:\PROGRA~2\VIVIDW~1\WORKSH~1.EXE -zglaxservice WorkshopDBService --> C:\PROGRA~2\VIVIDW~1\WORKSH~1.EXE -zglaxservice WorkshopDBService [?] S3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2011-5-20 36000] S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-3 1298496] S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2011-5-20 298656] S3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2011-5-20 201376] S3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2011-5-20 55456] S3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2011-5-20 154272] S3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2011-5-20 282272] S3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2010-11-4 58128] S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168] S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-9-8 1431888] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;"C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" --> C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [?] S3 gupdatem;Услуга на Google Актуализация (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-5 136176] S3 IT9135BDA;IT9135 BDA Devices;C:\Windows\System32\drivers\IT9135BDA.sys [2011-12-5 113280] S3 massfilter;Mass Storage Filter Driver;C:\Windows\System32\drivers\massfilter.sys [2011-11-9 11776] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208] S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe --> C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2011-11-2 174184] S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184] S3 PTSimHid;PenTablet Simulated HID MiniDriver;C:\Windows\System32\drivers\PTSimHid.sys [2007-4-23 14336] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992] S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096] S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960] S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2010-11-21 34816] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232] S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248] S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-26 1255736] S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952] . =============== File Associations =============== . FileExt: .scr: AutoCADScriptFile=C:\Windows\System32\notepad.exe "%1" FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\Dreamweaver.exe","%1" ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\dreamweaver.exe", "%1" . =============== Created Last 30 ================ . 2012-04-05 07:21:21 409600 ----a-w- C:\Program Files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\rescue2usb.exe 2012-04-05 07:21:21 28160 ----a-w- C:\Program Files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\syslinux.exe 2012-04-05 07:21:21 237849 ----a-w- C:\Program Files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\grub.exe 2012-04-05 07:18:11 -------- d-----w- C:\Users\Nikolay.Prokopieff\Pavark 2012-04-05 06:46:09 -------- d-----w- C:\Program Files (x86)\ESET 2012-04-04 20:25:21 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy 2012-04-04 20:25:21 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2012-04-04 19:56:56 -------- d-----w- C:\avast! sandbox 2012-04-04 19:25:29 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2012-04-04 19:24:33 819032 ----a-w- C:\Windows\System32\drivers\aswSnx.sys 2012-04-04 19:24:33 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys 2012-04-04 19:24:32 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys 2012-04-04 19:23:53 41184 ----a-w- C:\Windows\avastSS.scr 2012-04-04 19:23:42 -------- d-----w- C:\ProgramData\AVAST Software 2012-04-04 19:23:42 -------- d-----w- C:\Program Files\AVAST Software 2012-04-04 19:19:42 0 --sha-w- C:\Windows\System32\dds_log_ad13.cmd 2012-04-04 19:18:40 -------- d-sh--w- C:\Users\Nikolay.Prokopieff\AppData\Local\a47c758c 2012-04-01 17:44:51 -------- d-----w- C:\Users\Nikolay.Prokopieff\AppData\Roaming\TuneUp Software 2012-04-01 17:44:51 -------- d-----w- C:\ProgramData\TuneUp Software 2012-03-28 07:51:52 -------- d-----w- C:\Users\Nikolay.Prokopieff\AppData\Local\ABBYY 2012-03-18 21:59:47 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll 2012-03-18 21:59:47 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll 2012-03-16 05:55:13 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe 2012-03-16 05:55:12 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2012-03-16 05:55:12 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2012-03-16 05:42:30 509952 ----a-w- C:\Windows\System32\ntshrui.dll 2012-03-16 05:42:30 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll 2012-03-16 05:42:29 1544192 ----a-w- C:\Windows\System32\DWrite.dll 2012-03-16 05:42:29 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll 2012-03-16 05:42:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe 2012-03-16 05:42:27 77312 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-03-16 05:42:27 3145728 ----a-w- C:\Windows\System32\win32k.sys 2012-03-16 05:42:27 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-03-16 05:42:26 515584 ----a-w- C:\Windows\System32\timedate.cpl 2012-03-16 05:42:26 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl 2012-03-16 05:41:55 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll 2012-03-16 05:41:55 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-03-16 05:41:55 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll 2012-03-16 05:41:55 1031680 ----a-w- C:\Windows\System32\rdpcore.dll 2012-03-16 05:41:54 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys 2012-03-14 13:34:30 -------- d-----w- C:\Program Files\ACR38_100_122 PCSC Driver 2012-03-14 13:33:35 -------- d-----w- C:\Program Files (x86)\charismathics 2012-03-11 16:24:08 1724416 ----a-w- C:\Windows\SysWow64\Gdiplus.dll 2012-03-11 16:24:08 118016 ----a-w- C:\Windows\System32\drivers\qcusbser.sys 2012-03-11 16:24:08 103424 ----a-w- C:\Windows\SysWow64\MyDIT_GenClassCoInst.dll 2012-03-11 16:24:08 -------- d-----w- C:\Program Files (x86)\Common Files\DeviceHelper 2012-03-11 16:24:07 -------- d-----w- C:\Program Files (x86)\VIVACOM 3G USB MODEM 2012-03-11 11:35:10 -------- d-----w- C:\Users\Nikolay.Prokopieff\AppData\Local\Adobe 2012-03-10 08:39:11 -------- d-----w- C:\Users\Nikolay.Prokopieff\AppData\Roaming\GISExplorer 2012-03-10 08:31:52 75648 ----a-w- C:\Windows\System32\drivers\aksdf.sys 2012-03-10 08:31:51 4180576 ----a-w- C:\Windows\System32\hasplms.exe 2012-03-10 08:31:51 4180576 ----a-w- C:\Windows\System32\aksllmtp.exe 2012-03-10 08:31:51 -------- d-----w- C:\Program Files (x86)\Common Files\Aladdin Shared 2012-03-10 08:31:50 131072 ----a-w- C:\Windows\System32\drivers\aksfridge.sys 2012-03-10 08:31:37 318464 ----a-w- C:\Windows\System32\drivers\hardlock.sys 2012-03-10 08:31:23 -------- dc-h--w- C:\ProgramData\{D541EC45-7962-4140-B328-5281428B5D35} 2012-03-10 08:31:16 -------- d-----w- C:\Program Files (x86)\GISExplorer 2012-03-10 08:30:45 -------- d-----w- C:\Users\Nikolay.Prokopieff\AppData\Local\PackageAware 2012-03-10 07:09:20 -------- d-----w- C:\Program Files (x86)\Franson . ==================== Find3M ==================== . 2012-04-04 19:57:35 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-01-25 18:00:00 79360 ----a-w- C:\Windows\SysWow64\ff_vfw.dll . ============= FINISH: 10:41:10.38 =============== Забравих да спомена, че операционната ми система е windows 7 Ultimate 64bit. Благодаря предварително на всички за помощта!

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Здравейте,

x64 версията на заразата изисква малко по-специфично подхождане към ситуацията.

Имате ли свободна USB флашка за всеки случай в случай, че основния инструмент за борба с гадината се провали ?

Засега опитайте следното:

1. Изтеглете ComboFix от BleepingComputer

и го запазете (бутон Save -> Save as) ComboFix на вашия десктоп:

Публикувано изображение

След приключване на изтеглянето на ComboFix, иконката на програмата би трябвало да изглежда така:

Публикувано изображение

2. Затворете всички работещи приложения, отворени прозорци и програми работещи във фонов режим. Спрете временно защитата в реално време на антивирусната програма и на другите програми за сигурност, ако има такива.

3. Стартирайте с двоен клик Combofix.exe. Изберете YES, за да се съгласите с условията за използване на програмата. Важно: По време на работата на ComboFix не бива да се движи мишката и да се натискат клавиши от клавиатурата. Просто търпеливо оставете ComboFix да си свърши работата, без да използвате компютъра за други цели.

4. Ако получите предупреждение от UAC, съгласете се.

5 ComboFix ще спре временно Интернет връзката, но след като приключи работата на програмата тази връзка ще бъде възстановена автоматично. ComboFix ще сканира за проблеми и за заразени файлове, като това може да отнеме известно време. Моля да бъдете търпеливи. Ако има проблем с Интернет връзката след приключване на работата на Combofix, моля да прочетете това: Manually restoring the Internet connection section.

6 Когато работата на ComboFix приключи, ще се появи текстов документ (log) в Notepad:

Публикувано изображение

Копирайте с (Copy) и поставете с (Paste) съдържанието на лога в следващия си коментар.

Забележка: Ако се появи следното съобщение при отварянето на различни програми след завършване на сканирането с Combofix - "illegal operation on a registry key that has been marked for deletion." просто рестартирайте компютъра още веднъж и то ще изчезне.

По време на сканирането не използвайте компютъра си !

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Здравейте,

да, имам флашка.

Сега накратко какво направих до момента, преди да прочета пост-а.

1) eset online откри и уж премахна няколко варианта на sirefef - T, U, W, Z.

2) пуснах и malwarebytes. Eто лог:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.04.05.03

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Nikolay.Prokopieff :: PROKOPIEFF [administrator]

Protection: Disabled

5.4.2012 г. 12:07:40 ч.

mbam-log-2012-04-05 (12-07-40).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 233692

Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|IntelAgent (Trojan.Agent) -> Data: C:\Windows\Temp\temp68.exe -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv (Trojan.Agent.Gen) -> Data: grpconv -o -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Users\Nikolay.Prokopieff\Local Settings\Temporary Internet Files\Content.IE5\CNIQBO5N\5[1].exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.

C:\Users\Nikolay.Prokopieff\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

C:\Users\UpdatusUser\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

C:\Windows\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

C:\Windows\System32\grpconv.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

(end)

при последващото сканиране лог-ът е чист.

След като прочетох поста пуснах combofix. Eто лога:

P: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 )))))))))))))))))))))))))))))))

.

.

2012-04-05 10:46 . 2012-04-05 10:46 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-04-05 10:46 . 2012-04-05 10:46 -------- d-----w- c:\users\NIKOLA~1~PRO\AppData\Local\temp

2012-04-05 10:46 . 2012-04-05 10:46 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-04-05 10:46 . 2012-04-05 10:46 -------- d-----w- c:\users\Ani.Prokopieva\AppData\Local\temp

2012-04-05 10:28 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-04-05 10:28 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-04-05 10:28 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-04-05 10:28 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-04-05 10:28 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-04-05 10:28 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-04-05 10:28 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr

2012-04-05 10:28 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe

2012-04-05 09:07 . 2012-04-05 09:07 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Malwarebytes

2012-04-05 09:07 . 2012-04-05 09:07 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-04-05 09:07 . 2012-04-05 09:07 -------- d-----w- c:\programdata\Malwarebytes

2012-04-05 09:07 . 2011-12-10 12:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-05 07:21 . 2010-08-19 16:22 409600 ----a-w- c:\program files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\rescue2usb.exe

2012-04-05 07:21 . 2010-04-01 08:01 28160 ----a-w- c:\program files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\syslinux.exe

2012-04-05 07:21 . 2009-10-16 13:43 237849 ----a-w- c:\program files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\grub.exe

2012-04-05 07:18 . 2012-04-05 07:18 -------- d-----w- c:\users\Nikolay.Prokopieff\Pavark

2012-04-04 20:25 . 2012-04-04 20:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-04-04 20:25 . 2012-04-04 20:26 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2012-04-04 19:56 . 2012-04-04 19:56 -------- d-----w- C:\avast! sandbox

2012-04-04 19:25 . 2012-04-04 19:57 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-04-04 19:24 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe

2012-04-04 19:23 . 2012-04-05 10:27 -------- d-----w- c:\programdata\AVAST Software

2012-04-04 19:23 . 2012-04-05 10:27 -------- d-----w- c:\program files\AVAST Software

2012-04-04 19:19 . 2012-04-04 19:54 0 --sha-w- c:\windows\system32\dds_log_ad13.cmd

2012-04-04 19:18 . 2012-04-05 09:56 -------- d-sh--w- c:\users\Nikolay.Prokopieff\AppData\Local\a47c758c

2012-04-01 17:44 . 2012-04-01 17:44 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Roaming\TuneUp Software

2012-04-01 17:44 . 2012-04-01 17:44 -------- d-----w- c:\programdata\TuneUp Software

2012-03-28 07:51 . 2012-03-28 07:51 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Local\ABBYY

2012-03-21 19:28 . 2012-03-21 19:28 -------- d-----w- c:\windows\Sun

2012-03-18 21:59 . 2012-03-18 21:59 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll

2012-03-18 21:59 . 2012-03-18 21:59 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll

2012-03-16 05:55 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-16 05:55 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-03-16 05:55 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-03-16 05:42 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll

2012-03-16 05:42 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll

2012-03-16 05:42 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll

2012-03-16 05:42 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-03-16 05:42 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys

2012-03-16 05:42 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-03-16 05:42 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-03-16 05:42 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-03-16 05:42 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl

2012-03-16 05:42 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl

2012-03-16 05:41 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll

2012-03-16 05:41 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-03-16 05:41 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2012-03-16 05:41 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-16 05:41 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2012-03-14 13:34 . 2012-03-14 13:34 -------- d-----w- c:\program files\ACR38_100_122 PCSC Driver

2012-03-14 13:33 . 2012-03-14 13:33 -------- d-----w- c:\program files (x86)\charismathics

2012-03-11 16:24 . 2012-03-11 16:24 -------- d-----w- c:\program files (x86)\Common Files\DeviceHelper

2012-03-11 16:24 . 2009-08-27 11:18 1724416 ----a-w- c:\windows\SysWow64\Gdiplus.dll

2012-03-11 16:24 . 2009-08-27 11:18 118016 ----a-w- c:\windows\system32\drivers\qcusbser.sys

2012-03-11 16:24 . 2009-08-27 11:18 103424 ----a-w- c:\windows\SysWow64\MyDIT_GenClassCoInst.dll

2012-03-11 16:24 . 2012-03-11 16:24 -------- d-----w- c:\program files (x86)\VIVACOM 3G USB MODEM

2012-03-11 11:35 . 2012-03-28 07:51 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Local\Adobe

2012-03-10 08:39 . 2012-03-11 11:04 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Roaming\GISExplorer

2012-03-10 08:31 . 2010-07-27 08:36 75648 ----a-w- c:\windows\system32\drivers\aksdf.sys

2012-03-10 08:31 . 2012-03-10 08:31 -------- d-----w- c:\program files (x86)\Common Files\Aladdin Shared

2012-03-10 08:31 . 2010-09-27 07:37 4180576 ----a-w- c:\windows\system32\hasplms.exe

2012-03-10 08:31 . 2010-09-27 07:37 4180576 ----a-w- c:\windows\system32\aksllmtp.exe

2012-03-10 08:31 . 2010-09-27 12:26 131072 ----a-w- c:\windows\system32\drivers\aksfridge.sys

2012-03-10 08:31 . 2009-03-13 09:55 318464 ----a-w- c:\windows\system32\drivers\hardlock.sys

2012-03-10 08:31 . 2012-03-10 08:31 -------- dc-h--w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}

2012-03-10 08:31 . 2012-03-10 08:31 -------- d-----w- c:\program files (x86)\GISExplorer

2012-03-10 08:30 . 2012-03-10 08:30 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Local\PackageAware

2012-03-10 07:09 . 2012-03-10 07:09 -------- d-----w- c:\program files (x86)\Franson

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-04 19:57 . 2011-07-05 16:43 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-01-25 18:00 . 2012-02-06 17:36 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-04-05_09.57.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-13 23:40 . 2009-07-14 01:14 16384 c:\windows\SysWOW64\grpconv.exe

- 2012-04-05 08:16 . 2012-04-05 09:19 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat

+ 2012-04-05 08:16 . 2012-04-05 10:03 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat

- 2011-07-09 11:35 . 2012-04-05 06:41 10035 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat

+ 2011-07-09 11:35 . 2012-04-05 10:00 10035 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat

- 2012-04-05 09:40 . 2012-04-05 09:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-04-05 10:25 . 2012-04-05 10:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-04-05 10:25 . 2012-04-05 10:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-04-05 09:40 . 2012-04-05 09:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-07-14 02:36 . 2012-04-05 10:30 660112 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2012-04-05 10:30 126792 c:\windows\system32\perfc009.dat

+ 2009-07-14 05:01 . 2012-04-05 10:00 575960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 05:01 . 2012-04-05 06:41 575960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-07-04 11:28 . 2012-04-05 10:00 12252928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-243002880-2808142859-1455790081-1000-8192.dat

- 2011-07-04 10:55 . 2012-04-05 06:41 57431620 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-243002880-2808142859-1455790081-1000-12288.dat

+ 2011-07-04 10:55 . 2012-04-05 10:00 57431620 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-243002880-2808142859-1455790081-1000-12288.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]

"NokiaSuite.exe"="c:\program files (x86)\Nokia\Nokia Suite\NokiaSuite.exe" [2011-11-01 1053056]

"PC Suite Tray"="c:\program files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-06-16 1500160]

"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2011-10-11 641400]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-07-11 74752]

"Bonus.SSR.FR10"="c:\program files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" [2011-06-08 941320]

"WTClient"="WTClient.exe" [2007-04-11 40960]

"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]

"Xerox PanelMgr"="c:\windows\Xerox\PanelMgr\SSMMgr.exe" [2008-09-11 540672]

"NSU_agent"="c:\program files (x86)\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-08-11 169264]

"UIExec"="c:\program files (x86)\M-Tel NETAGENT\UIExec.exe" [2011-06-09 152912]

"ModemListener"="c:\program files (x86)\VIVACOM 3G USB MODEM\ModemListener.exe" [2009-12-03 98304]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]

.

c:\users\Ani.Prokopieva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

.

c:\users\Nikolay.Prokopieff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

smart security registration status.lnk - c:\program files (x86)\charismathics\smart security interface 4.7\CSPregtool.exe [2008-11-14 5005312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

.

R1 aswSnx;aswSnx; [x]

R1 aswSP;aswSP; [x]

R1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]

R1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys [x]

R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-02 89600]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]

R2 Apache2.2;Apache2.2;c:\users\Nikolay.Prokopieff\xampp\apache\bin\httpd.exe [2010-10-18 20549]

R2 aswFsBlk;aswFsBlk; [x]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

R2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Dell Wireless\Ath_CoexAgent.exe [2011-02-16 135168]

R2 AtherosSvc;AtherosSvc;c:\program files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [2011-05-20 80032]

R2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]

R2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-03 897088]

R2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2010-11-03 983104]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Услуга на Google Актуализация (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-05 136176]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]

R2 mi-raysat_3dsmax2012_64;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 64-bit - English 64-bit;c:\program files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe [2011-02-22 86016]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]

R2 ProgDVBService;ProgDVB Scheduler Service;c:\program files (x86)\ProgDVB\ProgDVBService.exe [2011-12-02 59840]

R2 Sentinel64;Sentinel64;c:\windows\System32\Drivers\Sentinel64.sys [x]

R2 SentinelKeysServer;Sentinel Keys Server;c:\program files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [x]

R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-14 381248]

R2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [x]

R2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [x]

R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]

R2 UI Assistant Service;UI Assistant Service;c:\program files (x86)\M-Tel NETAGENT\AssistantServices.exe [2011-06-09 267088]

R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [x]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-03 1298496]

R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [x]

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [x]

R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [x]

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [x]

R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [x]

R3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-09-08 1431888]

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [x]

R3 GPU-Z;GPU-Z;c:\users\NIKOLA~1.PRO\AppData\Local\Temp\GPU-Z.sys [x]

R3 gupdatem;Услуга на Google Актуализация (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-05 136176]

R3 IT9135BDA;IT9135 BDA Devices;c:\windows\system32\Drivers\IT9135BDA.sys [x]

R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]

R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [x]

S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]

S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:57]

.

2012-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-05 18:02]

.

2012-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-05 18:02]

.

2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-243002880-2808142859-1455790081-1000Core.job

- c:\users\Nikolay.Prokopieff\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-25 16:47]

.

2012-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-243002880-2808142859-1455790081-1000UA.job

- c:\users\Nikolay.Prokopieff\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-25 16:47]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-19 168216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-19 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-19 416024]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-04-12 609144]

"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-24 525312]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]

"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2010-11-03 10228224]

"AtherosBtStack"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [2011-05-20 627360]

"AthBtTray"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [2011-05-20 379552]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\windows\System32\nvinitx.dll

.

NETSVCS REQUIRES REPAIRS - current entries shown

AeLookupSvc

CertPropSvc

SCPolicySvc

lanmanserver

gpsvc

IKEEXT

AudioSrv

FastUserSwitchingCompatibility

Ias

Irmon

Nla

Ntmssvc

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

SENS

Sharedaccess

SRService

Tapisrv

Wmi

WmdmPmSp

antivirscheduler

c34nb4c5

vc8secs

CoolerXPDriver

sshrmd

MA8032M

ELmou

elaunidr

pwkntmon

NVR0FLASHDev

ATKGFNEXSrv

mpfp

usbscan

eliservice

cvintdrv

s3ssavage

armoucfltr

dlaudfam

HssSrv

si3114r

cavasm

com4qlb

nnsvc

pae_1394

symmpi

gusvc

pcscnsrv

as32svc

PSSdk21

cpntsrv

Cam5607

filterservice

s217obex

rpsupdaterr

cwbrxd

mail2ec

Sntnlusb

puscsrvc

clnt_clientman

issvc

STV680

NPPTNT

entech

Pctspk

ati2mtaa

CTMSHD

BCM42RLY

sysenforce

starwindserviceae

sonywbms

2wirepcp

id2scaps

dtscsi

o2flash

FireTDI

rxfilter

CnxtHdAudService

msvad_simple

TermService

wuauserv

BITS

ShellHWDetection

LogonHours

PCAudit

helpsvc

uploadmgr

iphlpsvc

seclogon

AppInfo

msiscsi

MMCSS

winmgmt

SessionEnv

browser

EapHost

schedule

hkmsvc

wercplsupport

ProfSvc

Themes

BDESVC

AppMgmt

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1

DPF: {500A3316-5B0E-4253-BBE5-CE3F11A1AE71} - hxxps://inetdec.nra.bg/dds/InetVAT5Frm.cab

FF - ProfilePath - c:\users\Nikolay.Prokopieff\AppData\Roaming\Mozilla\Firefox\Profiles\hlxth17a.default\

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-04-05 13:49:34

ComboFix-quarantined-files.txt 2012-04-05 10:49

ComboFix2.txt 2012-04-05 09:59

.

Pre-Run: 1 380 098 048 bytes free

Post-Run: 1 263 067 136 bytes free

.

- - End Of File - - 6BFD86DD8AE81F1C3F928168752A358E

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Здравейте,

СТЪПКА 1

  • Стартирайте Spybot Search & Destroy и отидете на Mode.
  • Сложете отметка пред Advanced Mode.
  • След това намерете менюто Settings => Resident => и премахнете отметката пред RESIDENT "TEATIMER".
  • Затворете Spybot.

Публикувано изображение

Публикувано изображение

СТЪПКА 2

Изтеглете и инсталирайте Erunt.

Оставете настройките по подразбиране и направете бекъп на регистрите.

  • Отворете notepad и с copy/paste въведете следната информация:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost]
    "netsvcs"=hex(7):41,00,65,00,4c,00,6f,00,6f,00,6b,00,75,00,70,00,53,00,76,00,
      63,00,00,00,43,00,65,00,72,00,74,00,50,00,72,00,6f,00,70,00,53,00,76,00,63,
      00,00,00,53,00,43,00,50,00,6f,00,6c,00,69,00,63,00,79,00,53,00,76,00,63,00,
      00,00,6c,00,61,00,6e,00,6d,00,61,00,6e,00,73,00,65,00,72,00,76,00,65,00,72,
      00,00,00,67,00,70,00,73,00,76,00,63,00,00,00,49,00,4b,00,45,00,45,00,58,00,
      54,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,46,00,61,
      00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,
      69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,
      00,69,00,74,00,79,00,00,00,49,00,61,00,73,00,00,00,49,00,72,00,6d,00,6f,00,
      6e,00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,
      00,00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,
      69,00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,
      00,74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,
      73,00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,
      00,63,00,65,00,73,00,73,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,00,68,00,
      61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,53,00,52,
      00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,00,69,00,
      73,00,72,00,76,00,00,00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,
      00,6d,00,53,00,70,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,
      69,00,63,00,65,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,
      00,42,00,49,00,54,00,53,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,
      44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,4c,00,6f,00,67,
      00,6f,00,6e,00,48,00,6f,00,75,00,72,00,73,00,00,00,50,00,43,00,41,00,75,00,
      64,00,69,00,74,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,75,
      00,70,00,6c,00,6f,00,61,00,64,00,6d,00,67,00,72,00,00,00,69,00,70,00,68,00,
      6c,00,70,00,73,00,76,00,63,00,00,00,73,00,65,00,63,00,6c,00,6f,00,67,00,6f,
      00,6e,00,00,00,41,00,70,00,70,00,49,00,6e,00,66,00,6f,00,00,00,6d,00,73,00,
      69,00,73,00,63,00,73,00,69,00,00,00,4d,00,4d,00,43,00,53,00,53,00,00,00,77,
      00,65,00,72,00,63,00,70,00,6c,00,73,00,75,00,70,00,70,00,6f,00,72,00,74,00,
      00,00,45,00,61,00,70,00,48,00,6f,00,73,00,74,00,00,00,50,00,72,00,6f,00,66,
      00,53,00,76,00,63,00,00,00,73,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,00,
      00,00,68,00,6b,00,6d,00,73,00,76,00,63,00,00,00,53,00,65,00,73,00,73,00,69,
      00,6f,00,6e,00,45,00,6e,00,76,00,00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,
      74,00,00,00,62,00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,54,00,68,00,65,
      00,6d,00,65,00,73,00,00,00,42,00,44,00,45,00,53,00,56,00,43,00,00,00,41,00,
      70,00,70,00,4d,00,67,00,6d,00,74,00,00,00,00,00
  • Запазете файла с името fix.reg.
  • Файла трябва да изглежда така - Публикувано изображение
  • Стартирайте го и изберете YES на диалоговия прозорец.

СТЪПКА 3

  • Отворете notepad и с copy/paste въведете следната информация:

    File::
    c:windowssystem32dds_log_ad13.cmd
    Folder::
    c:usersNikolay.ProkopieffAppDataLocala47c758c
    DirLook::
    c:programdata{D541EC45-7962-4140-B328-5281428B5D35}
    
  • Запазете файла с име CFScript и го провлачете и пуснете в Combofix (както е показано на картинката отдолу).

    Публикувано изображение

  • По време на сканиране от страна на ComboFix не стартирайте никакви други приложения, не натискайте клавиши от клавиатурата и не местете мишката !
  • Публикувайте лог файла, който ще се създаде след рестарта на компютъра в следващия си пост.

СТЪПКА 4

В следващия ви пост очаквам да видя:

  • Лог файла от Combofix
  • Бих искал да погледна лог файла от Eset Online Scanner
  • Да ми кажете с коя антивирусна сте в момента, защото виждам остатъци от avast и от Avira, а публикувания от вас лог файл на Combofix бе непълен и не можах да видя кои записи са регистрирани във WMI на Windows.
  • Харесва ми 1

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Антивирусната е avast. Avira-та беше деинсталирана, явно не напълно. Не успявам да намеря лог от есет в C:\Program Files\ESET\ESET Online Scanner\log.txt Ако трябва пак ще пусна сваля есет-а. Ето лога от combofix: ComboFix 12-04-05.04 - Nikolay.Prokopieff 04.2012 г. 15:02:16.3.2 - x64 NETWORK Microsoft Windows 7 Ultimate 6.1.7601.1.1251.359.1033.18.5285.4005 [GMT 3:00] Running from: c:\users\Nikolay.Prokopieff\Downloads\ComboFix.exe Command switches used :: c:\users\Nikolay.Prokopieff\Desktop\CFScript.txt SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . FILE :: "c:\windows\system32\dds_log_ad13.cmd" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Nikolay.Prokopieff\AppData\Local\a47c758c c:\users\Nikolay.Prokopieff\AppData\Local\a47c758c\@ c:\windows\system32\dds_log_ad13.cmd . . ((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 ))))))))))))))))))))))))))))))) . . 2012-04-05 12:06 . 2012-04-05 12:06 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-04-05 12:06 . 2012-04-05 12:06 -------- d-----w- c:\users\NIKOLA~1~PRO\AppData\Local\temp 2012-04-05 12:06 . 2012-04-05 12:06 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-04-05 12:06 . 2012-04-05 12:06 -------- d-----w- c:\users\Ani.Prokopieva\AppData\Local\temp 2012-04-05 11:55 . 2012-04-05 11:55 -------- d-----w- c:\program files (x86)\ERUNT 2012-04-05 11:45 . 2012-04-05 11:45 -------- d-----w- c:\program files\CCleaner 2012-04-05 10:28 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-04-05 10:28 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-04-05 10:28 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-04-05 10:28 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys 2012-04-05 10:28 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-04-05 10:28 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2012-04-05 10:28 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr 2012-04-05 10:28 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe 2012-04-05 09:07 . 2012-04-05 09:07 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Malwarebytes 2012-04-05 09:07 . 2012-04-05 09:07 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-04-05 09:07 . 2012-04-05 09:07 -------- d-----w- c:\programdata\Malwarebytes 2012-04-05 09:07 . 2011-12-10 12:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-05 07:21 . 2010-08-19 16:22 409600 ----a-w- c:\program files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\rescue2usb.exe 2012-04-05 07:21 . 2010-04-01 08:01 28160 ----a-w- c:\program files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\syslinux.exe 2012-04-05 07:21 . 2009-10-16 13:43 237849 ----a-w- c:\program files (x86)\Mozilla Firefox\Kaspersky Rescue2Usb\grub.exe 2012-04-05 07:18 . 2012-04-05 07:18 -------- d-----w- c:\users\Nikolay.Prokopieff\Pavark 2012-04-04 20:25 . 2012-04-05 11:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2012-04-04 20:25 . 2012-04-04 20:26 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2012-04-04 19:56 . 2012-04-04 19:56 -------- d-----w- C:\avast! sandbox 2012-04-04 19:25 . 2012-04-04 19:57 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-04-04 19:24 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe 2012-04-04 19:23 . 2012-04-05 10:27 -------- d-----w- c:\programdata\AVAST Software 2012-04-04 19:23 . 2012-04-05 10:27 -------- d-----w- c:\program files\AVAST Software 2012-04-01 17:44 . 2012-04-01 17:44 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Roaming\TuneUp Software 2012-04-01 17:44 . 2012-04-01 17:44 -------- d-----w- c:\programdata\TuneUp Software 2012-03-28 07:51 . 2012-03-28 07:51 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Local\ABBYY 2012-03-21 19:28 . 2012-03-21 19:28 -------- d-----w- c:\windows\Sun 2012-03-18 21:59 . 2012-03-18 21:59 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll 2012-03-18 21:59 . 2012-03-18 21:59 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll 2012-03-16 05:55 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-16 05:55 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-03-16 05:55 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-03-16 05:42 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll 2012-03-16 05:42 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll 2012-03-16 05:42 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll 2012-03-16 05:42 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll 2012-03-16 05:42 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys 2012-03-16 05:42 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-03-16 05:42 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-03-16 05:42 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-03-16 05:42 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl 2012-03-16 05:42 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl 2012-03-16 05:41 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll 2012-03-16 05:41 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll 2012-03-16 05:41 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll 2012-03-16 05:41 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-03-16 05:41 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-03-14 13:34 . 2012-03-14 13:34 -------- d-----w- c:\program files\ACR38_100_122 PCSC Driver 2012-03-14 13:33 . 2012-03-14 13:33 -------- d-----w- c:\program files (x86)\charismathics 2012-03-11 16:24 . 2012-03-11 16:24 -------- d-----w- c:\program files (x86)\Common Files\DeviceHelper 2012-03-11 16:24 . 2009-08-27 11:18 1724416 ----a-w- c:\windows\SysWow64\Gdiplus.dll 2012-03-11 16:24 . 2009-08-27 11:18 118016 ----a-w- c:\windows\system32\drivers\qcusbser.sys 2012-03-11 16:24 . 2009-08-27 11:18 103424 ----a-w- c:\windows\SysWow64\MyDIT_GenClassCoInst.dll 2012-03-11 16:24 . 2012-03-11 16:24 -------- d-----w- c:\program files (x86)\VIVACOM 3G USB MODEM 2012-03-11 11:35 . 2012-03-28 07:51 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Local\Adobe 2012-03-10 08:39 . 2012-03-11 11:04 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Roaming\GISExplorer 2012-03-10 08:31 . 2010-07-27 08:36 75648 ----a-w- c:\windows\system32\drivers\aksdf.sys 2012-03-10 08:31 . 2012-03-10 08:31 -------- d-----w- c:\program files (x86)\Common Files\Aladdin Shared 2012-03-10 08:31 . 2010-09-27 07:37 4180576 ----a-w- c:\windows\system32\hasplms.exe 2012-03-10 08:31 . 2010-09-27 07:37 4180576 ----a-w- c:\windows\system32\aksllmtp.exe 2012-03-10 08:31 . 2010-09-27 12:26 131072 ----a-w- c:\windows\system32\drivers\aksfridge.sys 2012-03-10 08:31 . 2009-03-13 09:55 318464 ----a-w- c:\windows\system32\drivers\hardlock.sys 2012-03-10 08:31 . 2012-03-10 08:31 -------- dc-h--w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35} 2012-03-10 08:31 . 2012-03-10 08:31 -------- d-----w- c:\program files (x86)\GISExplorer 2012-03-10 08:30 . 2012-03-10 08:30 -------- d-----w- c:\users\Nikolay.Prokopieff\AppData\Local\PackageAware 2012-03-10 07:09 . 2012-03-10 07:09 -------- d-----w- c:\program files (x86)\Franson . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-04-04 19:57 . 2011-07-05 16:43 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-01-25 18:00 . 2012-02-06 17:36 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35} ---- . 2012-03-10 08:31 . 2012-03-10 08:31 93 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\instance.dat 2012-03-10 08:31 . 2012-03-10 08:31 0 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\GISExplorerInstall.lnk 2012-03-10 08:31 . 2012-03-10 08:31 32405 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\GISExplorerInstall.par 2012-03-10 08:31 . 2012-03-10 08:31 329 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\GISExplorerInstall.dat 2012-03-10 08:31 . 2011-10-18 10:00 575060 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\mia.lib 2012-03-10 08:31 . 2011-10-18 10:00 7629013 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\GISExplorerInstall.res 2012-03-10 08:31 . 2011-10-18 10:00 434176 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\GISExplorerInstall.msi 2012-03-10 08:31 . 2011-10-18 10:00 3226516 -c--a-w- c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35}\GISExplorerInstall.exe . . ((((((((((((((((((((((((((((( SnapShot@2012-04-05_09.57.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-13 23:40 . 2009-07-14 01:14 16384 c:\windows\SysWOW64\grpconv.exe - 2012-04-05 08:16 . 2012-04-05 09:19 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat + 2012-04-05 08:16 . 2012-04-05 10:03 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat - 2011-07-09 11:35 . 2012-04-05 06:41 10035 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat + 2011-07-09 11:35 . 2012-04-05 10:00 10035 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat + 2012-04-05 10:25 . 2012-04-05 10:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-04-05 09:40 . 2012-04-05 09:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-04-05 10:25 . 2012-04-05 10:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2012-04-05 09:40 . 2012-04-05 09:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2009-07-14 02:36 . 2012-04-05 10:30 660112 c:\windows\system32\perfh009.dat + 2009-07-14 02:36 . 2012-04-05 10:30 126792 c:\windows\system32\perfc009.dat - 2009-07-14 05:01 . 2012-04-05 06:41 575960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2009-07-14 05:01 . 2012-04-05 10:00 575960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2012-04-05 11:55 . 2005-10-20 09:02 163328 c:\windows\ERDNT\5.4.2012 г\ERDNT.EXE + 2012-04-05 11:55 . 2012-04-05 11:55 6332416 c:\windows\ERDNT\5.4.2012 г\Users\00000002\UsrClass.dat + 2011-07-04 11:28 . 2012-04-05 10:00 12252928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-243002880-2808142859-1455790081-1000-8192.dat - 2011-07-04 10:55 . 2012-04-05 06:41 57431620 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-243002880-2808142859-1455790081-1000-12288.dat + 2011-07-04 10:55 . 2012-04-05 10:00 57431620 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-243002880-2808142859-1455790081-1000-12288.dat + 2012-04-05 11:55 . 2012-04-05 11:55 10399744 c:\windows\ERDNT\5.4.2012 г\Users\00000001\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 94208 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584] "NokiaSuite.exe"="c:\program files (x86)\Nokia\Nokia Suite\NokiaSuite.exe" [2011-11-01 1053056] "PC Suite Tray"="c:\program files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-06-16 1500160] "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2011-10-11 641400] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-07-11 74752] "WTClient"="WTClient.exe" [2007-04-11 40960] "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] "Xerox PanelMgr"="c:\windows\Xerox\PanelMgr\SSMMgr.exe" [2008-09-11 540672] "NSU_agent"="c:\program files (x86)\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-08-11 169264] "UIExec"="c:\program files (x86)\M-Tel NETAGENT\UIExec.exe" [2011-06-09 152912] "ModemListener"="c:\program files (x86)\VIVACOM 3G USB MODEM\ModemListener.exe" [2009-12-03 98304] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872] "Bonus.SSR.FR10"="c:\program files (x86)\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" [2011-06-08 941320] . c:\users\Ani.Prokopieva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288] . c:\users\Nikolay.Prokopieff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216] ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ smart security registration status.lnk - c:\program files (x86)\charismathics\smart security interface 4.7\CSPregtool.exe [2008-11-14 5005312] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" . R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-02 89600] R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:57] . 2012-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-05 18:02] . 2012-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-05 18:02] . 2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-243002880-2808142859-1455790081-1000Core.job - c:\users\Nikolay.Prokopieff\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-25 16:47] . 2012-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-243002880-2808142859-1455790081-1000UA.job - c:\users\Nikolay.Prokopieff\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-25 16:47] . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2012-02-14 22:58 97792 ----a-w- c:\users\Nikolay.Prokopieff\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-19 168216] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-19 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-19 416024] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-04-12 609144] "IntelTBRunOnce"="wscript.exe" [2009-07-14 168960] "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-24 525312] "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608] "BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2010-11-03 10228224] "AtherosBtStack"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [2011-05-20 627360] "AthBtTray"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [2011-05-20 379552] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 DPF: {500A3316-5B0E-4253-BBE5-CE3F11A1AE71} - hxxps://inetdec.nra.bg/dds/InetVAT5Frm.cab FF - ProfilePath - c:\users\Nikolay.Prokopieff\AppData\Roaming\Mozilla\Firefox\Profiles\hlxth17a.default\ FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-04-05 15:08:59 ComboFix-quarantined-files.txt 2012-04-05 12:08 ComboFix2.txt 2012-04-05 10:49 ComboFix3.txt 2012-04-05 09:59 . Pre-Run: 1 930 870 784 bytes free Post-Run: 1 821 401 088 bytes free . - - End Of File - - 84902370281C5237B65759C894BE16A2


Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Да ви е познато съдържанието на тази папка:

c:programdata{D541EC45-7962-4140-B328-5281428B5D35}

До колкото можах да разбера, става въпрос за нещо свързано с InstallAware

Проверете файловете в папката на адрес VirusTotal и публикувайте линковете към резултатите за всеки един от тях.

Проверете и следния файл - c:windowsSysWOW64grpconv.exe

Ако вече е бил анализиран, натиснете reanalyse за да го сканирате с последните дефиниции.

Публикувайте и неговия резултат.

Колкото до Avira, има две останали услуги в регистрите.

Отворете Start => В полето за търсене напишете CMD.exe.

Кликнете с десен бутон върху файла и изберете Run as administrator

Въведете следните команди (и натиснете Enter след всяка):

sc delete AntiVirSchedulerService

sc delete AntiVirService

Искам да направим и някои финални проверки:

СТЪПКА 1

Моля изтеглете последната версия на TDSSKiller оттук и я запазете на вашия декстоп.

  • Стартирайте TDSSKiller.exe за да стартирате приложението. След това кликнете върху бутона Change parameters.

    Публикувано изображение

  • Сложете отметки пред Verify Driver Digital Signature и Detect TDLFS file system и натиснете ОК.

    Публикувано изображение

  • Натиснете бутона Start Scan.

    Публикувано изображение

  • Ако подозрителен обект бъде засечен, действието по подразбиране ще бъде Skip, кликнете върху Continue.

    Публикувано изображение

  • Ако зловредни обекти бъдат намерени, тогава от падащото меню ще имате три възможности.

    Бъдете сигурни, че избраното действие е Cure и натиснете върху Continue > Рестартирайте за да бъде завършена поправката.

    Публикувано изображение

    Забележка: Ако Cure бутона не е наличен от възможностите, тогава моля изберете Skip бутона, не избирайте Delete освен ако не сте инструктирани затова.

  • Лог файл ще бъде създаден в свободната директория на дял C: . Потърсете за лог с името "TDSSKiller.[Version]_[Date]_[Time]_log.txt" и копирайте съдържанието му в следващия си пост.

СТЪПКА 2

Моля, изтеглете aswMBR и го запазете на вашия десктоп.

  • Кликнете с двоен клин на мишката върху файла aswMBR.exe за да го стартирате.
  • Изчакайте да изтегли дефинициите на avast!
  • От падащото меню посочете дял C: както е на снимката:
Публикувано изображение
  • Изберете Scan бутона, за да започне проверката.
  • Когато проверката завърши, натиснете бутона save log, запазете съдържанието на лог файла на десктопа и публикувайте съдържанието му в следващия си коментар.

СТЪПКА 3

Моля изтеглете Farbar Service Scanner и я стартирайте.

  • Сложете всички отметки
  • Натиснете бутона "Scan".
  • Ще се създаде лог файл с името (FSS.txt) в папката откъдето стартирате инструмента.
  • Копирайте съдържанието на лог файла в следващия си пост.

СТЪПКА 4

Изтеглете OTL.exe и го запазете на десктопа.

  • Стартирайте OTL (ако е необходимо, потвърдете през UAC).
  • Направете следните настройки:
  • Сложете отметка пред Scan All Users Публикувано изображение
  • Под менюто File Age изберете 90 days
  • Под менюто Standard Registryпроменете на ALL
  • Сложете отметки пред LOP и Purity Check
Под Публикувано изображение с Copy/ Paste въведете изцяло следната текстова информация (само това, което е поставено в карето):

netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%*.*
%USERPROFILE%*.*
%USERPROFILE%AppDataLocal*.*
%USERPROFILE%AppDataRoaming*.*
%ProgramData%*.*
%CommonProgramFiles%*.*
%PROGRAMFILES%*.*
%systemroot%system32configsystemprofileAppDataLocal*.*
%windir%SysWOW64configsystemprofileAppDataLocal*.*
%windir%ServiceProfilesLocalServiceAppDataLocalTemp*.*
%windir%ServiceProfilesNetworkServiceAppDataLocalTemp*.*
%windir%temp*.*
%windir%system32*. 
%windir%sysnative*.
%systemroot%system32*.dll /lockedfiles
%systemroot%syswow64*.dll /lockedfiles
%systemroot%Tasks*.job /lockedfiles
%systemroot%system32drivers*.sys /90
%systemroot%system32drivers*.sys /lockedfiles
%systemroot%syswow64drivers*.sys /90
%systemroot%syswow64drivers*.sys /lockedfiles
%systemroot%system32Spoolprtprocsw32x86*.dll
%systemroot%*. /rp /s
%systemroot%assemblytmp*.* /S /MD5
%systemroot%assemblytemp*.* /S /MD5
%systemroot%assemblyGAC_32*.* /S /MD5
%systemroot%assemblyGAC_64*.* /S /MD5
%SystemRoot%assemblyGAC_MSIL*.* /S /MD5
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystems /s
/md5start
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
atapi.sys
iaStor.sys
serial.sys
volsnap.sys
disk.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
csc.sys
tcpip.sys
hlp.dat
/md5stop
  • Натиснете маркираният в синьо бутон: Run Scan.
  • Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt. Прикачете тези два файла в следващия си коментар (погледнете опцията Прикачени файлове, когато публикувате мнение).

Ще продължим довечера, защото заминавам за работа.

Поздрави ! ;)

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

c:\programdata\{D541EC45-7962-4140-B328-5281428B5D35} - това е свързано с програмата GIS explorer http://www.gisexplorer.eu/

grpconv.exe - SHA256: e08991a20cd9fdc43a66db771f9161decb4355b78481eefc3d8dc3f0f4230df0 File name: grpconv.exe Detection ratio: 0 / 42 Analysis date: 2012-04-05 14:02:18 UTC ( 1 минута ago )

* CERTIFIED GOODWARE *

Submitted by GoodAware Project.

File Name: C:\Windows\System32\grpconv.exe

File Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Company: Microsoft Corporation

Description: Windows Progman Group Converter

Size: 16384 bytes

MD5: 67517491e2367098334372e0c167f515

This file is from a clean Windows 7 Home Premium installation and as such is known to be safe.

TDSSKiller.exe - не откри нищо. Всъщност той не откриваще нищо и когато пищеше аваста- за всеки случай го свалих отново :)

Ето лога:

17:50:13.0319 6688 TDSS rootkit removing tool 2.7.26.0 Apr 4 2012 19:52:02

17:50:13.0516 6688 ============================================================

17:50:13.0516 6688 Current date / time: 2012/04/05 17:50:13.0516

17:50:13.0516 6688 SystemInfo:

17:50:13.0516 6688

17:50:13.0516 6688 OS Version: 6.1.7601 ServicePack: 1.0

17:50:13.0516 6688 Product type: Workstation

17:50:13.0516 6688 ComputerName: PROKOPIEFF

17:50:13.0516 6688 UserName: Nikolay.Prokopieff

17:50:13.0516 6688 Windows directory: C:\Windows

17:50:13.0516 6688 System windows directory: C:\Windows

17:50:13.0516 6688 Running under WOW64

17:50:13.0516 6688 Processor architecture: Intel x64

17:50:13.0516 6688 Number of processors: 2

17:50:13.0516 6688 Page size: 0x1000

17:50:13.0516 6688 Boot type: Normal boot

17:50:13.0516 6688 ============================================================

17:50:14.0065 6688 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

17:50:14.0070 6688 \Device\Harddisk0\DR0:

17:50:14.0070 6688 MBR used

17:50:14.0070 6688 Initialize success

17:50:14.0070 6688 ============================================================

17:50:24.0328 4388 ============================================================

17:50:24.0328 4388 Scan started

17:50:24.0328 4388 Mode: Manual; SigCheck; TDLFS;

17:50:24.0328 4388 ============================================================

17:50:24.0419 4388 1394ohci - ok

17:50:24.0448 4388 ACPI - ok

17:50:24.0452 4388 AcpiPmi - ok

17:50:24.0474 4388 AdobeARMservice - ok

17:50:24.0478 4388 adp94xx - ok

17:50:24.0481 4388 adpahci - ok

17:50:24.0485 4388 adpu320 - ok

17:50:24.0495 4388 AeLookupSvc - ok

17:50:24.0499 4388 AESTFilters - ok

17:50:24.0514 4388 AFD - ok

17:50:24.0517 4388 agp440 - ok

17:50:24.0533 4388 aliide - ok

17:50:24.0537 4388 amdide - ok

17:50:24.0541 4388 AmdK8 - ok

17:50:24.0544 4388 AmdPPM - ok

17:50:24.0547 4388 amdsata - ok

17:50:24.0551 4388 amdsbs - ok

17:50:24.0554 4388 amdxata - ok

17:50:24.0566 4388 Apache2.2 - ok

17:50:24.0578 4388 ApfiltrService - ok

17:50:24.0582 4388 AppID - ok

17:50:24.0591 4388 AppIDSvc - ok

17:50:24.0596 4388 Appinfo - ok

17:50:24.0612 4388 AppMgmt - ok

17:50:24.0617 4388 arc - ok

17:50:24.0622 4388 arcsas - ok

17:50:24.0631 4388 aspnet_state - ok

17:50:24.0637 4388 aswFsBlk - ok

17:50:24.0663 4388 aswMonFlt - ok

17:50:24.0674 4388 aswRdr - ok

17:50:24.0680 4388 aswSnx - ok

17:50:24.0684 4388 aswSP - ok

17:50:24.0688 4388 aswTdi - ok

17:50:24.0691 4388 AsyncMac - ok

17:50:24.0695 4388 atapi - ok

17:50:24.0698 4388 AthBTPort - ok

17:50:24.0704 4388 Atheros Bt&Wlan Coex Agent - ok

17:50:24.0707 4388 AtherosSvc - ok

17:50:24.0732 4388 athr - ok

17:50:24.0735 4388 AudioEndpointBuilder - ok

17:50:24.0739 4388 AudioSrv - ok

17:50:24.0752 4388 Autodata Limited License Service - ok

17:50:24.0766 4388 Autodesk Content Service - ok

17:50:24.0770 4388 avast! Antivirus - ok

17:50:24.0776 4388 avgntflt - ok

17:50:24.0806 4388 avipbb - ok

17:50:24.0820 4388 avkmgr - ok

17:50:24.0828 4388 AxInstSV - ok

17:50:24.0831 4388 b06bdrv - ok

17:50:24.0835 4388 b57nd60a - ok

17:50:24.0840 4388 BDESVC - ok

17:50:24.0853 4388 Beep - ok

17:50:24.0856 4388 BFE - ok

17:50:24.0860 4388 BITS - ok

17:50:24.0869 4388 blbdrive - ok

17:50:24.0878 4388 Bluetooth Device Monitor - ok

17:50:24.0890 4388 Bluetooth Media Service - ok

17:50:24.0893 4388 Bluetooth OBEX Service - ok

17:50:24.0910 4388 bowser - ok

17:50:24.0913 4388 BrFiltLo - ok

17:50:24.0917 4388 BrFiltUp - ok

17:50:24.0925 4388 BridgeMP - ok

17:50:24.0929 4388 Browser - ok

17:50:24.0932 4388 Brserid - ok

17:50:24.0936 4388 BrSerWdm - ok

17:50:24.0939 4388 BrUsbMdm - ok

17:50:24.0943 4388 BrUsbSer - ok

17:50:24.0960 4388 BTATH_A2DP - ok

17:50:24.0964 4388 BTATH_BUS - ok

17:50:24.0971 4388 BTATH_HCRP - ok

17:50:24.0974 4388 BTATH_LWFLT - ok

17:50:24.0982 4388 BTATH_RCP - ok

17:50:24.0995 4388 BtFilter - ok

17:50:25.0012 4388 BthEnum - ok

17:50:25.0015 4388 BTHMODEM - ok

17:50:25.0019 4388 BthPan - ok

17:50:25.0022 4388 BTHPORT - ok

17:50:25.0026 4388 bthserv - ok

17:50:25.0040 4388 BTHUSB - ok

17:50:25.0043 4388 btmaux - ok

17:50:25.0065 4388 catchme - ok

17:50:25.0069 4388 cdfs - ok

17:50:25.0073 4388 cdrom - ok

17:50:25.0077 4388 CertPropSvc - ok

17:50:25.0079 4388 circlass - ok

17:50:25.0085 4388 CLFS - ok

17:50:25.0092 4388 clr_optimization_v2.0.50727_32 - ok

17:50:25.0098 4388 clr_optimization_v2.0.50727_64 - ok

17:50:25.0107 4388 clr_optimization_v4.0.30319_32 - ok

17:50:25.0111 4388 clr_optimization_v4.0.30319_64 - ok

17:50:25.0114 4388 CmBatt - ok

17:50:25.0118 4388 cmdide - ok

17:50:25.0125 4388 CNG - ok

17:50:25.0138 4388 Compbatt - ok

17:50:25.0143 4388 CompositeBus - ok

17:50:25.0146 4388 COMSysApp - ok

17:50:25.0152 4388 crcdisk - ok

17:50:25.0157 4388 Crypkey License - ok

17:50:25.0162 4388 CryptSvc - ok

17:50:25.0177 4388 CSC - ok

17:50:25.0181 4388 CscService - ok

17:50:25.0187 4388 DcomLaunch - ok

17:50:25.0190 4388 defragsvc - ok

17:50:25.0197 4388 DfsC - ok

17:50:25.0210 4388 DgiVecp - ok

17:50:25.0214 4388 Dhcp - ok

17:50:25.0217 4388 discache - ok

17:50:25.0221 4388 Disk - ok

17:50:25.0225 4388 dmvsc - ok

17:50:25.0231 4388 Dnscache - ok

17:50:25.0235 4388 dot3svc - ok

17:50:25.0239 4388 DPS - ok

17:50:25.0242 4388 drmkaud - ok

17:50:25.0248 4388 dtsoftbus01 - ok

17:50:25.0253 4388 DXGKrnl - ok

17:50:25.0256 4388 EapHost - ok

17:50:25.0260 4388 ebdrv - ok

17:50:25.0263 4388 EFS - ok

17:50:25.0267 4388 ehRecvr - ok

17:50:25.0271 4388 ehSched - ok

17:50:25.0274 4388 elxstor - ok

17:50:25.0278 4388 ErrDev - ok

17:50:25.0313 4388 EventSystem - ok

17:50:25.0316 4388 exfat - ok

17:50:25.0324 4388 fastfat - ok

17:50:25.0327 4388 fdc - ok

17:50:25.0330 4388 fdPHost - ok

17:50:25.0333 4388 FDResPub - ok

17:50:25.0337 4388 FileInfo - ok

17:50:25.0341 4388 Filetrace - ok

17:50:25.0356 4388 FileZilla Server - ok

17:50:25.0362 4388 FLEXnet Licensing Service 64 - ok

17:50:25.0366 4388 flpydisk - ok

17:50:25.0370 4388 FltMgr - ok

17:50:25.0373 4388 FontCache - ok

17:50:25.0377 4388 FontCache3.0.0.0 - ok

17:50:25.0380 4388 FsDepends - ok

17:50:25.0384 4388 Fs_Rec - ok

17:50:25.0388 4388 fvevol - ok

17:50:25.0391 4388 gagp30kx - ok

17:50:25.0395 4388 gpsvc - ok

17:50:25.0398 4388 GPU-Z - ok

17:50:25.0405 4388 gupdate - ok

17:50:25.0408 4388 gupdatem - ok

17:50:25.0411 4388 hcw85cir - ok

17:50:25.0415 4388 HdAudAddService - ok

17:50:25.0433 4388 HDAudBus - ok

17:50:25.0437 4388 HidBatt - ok

17:50:25.0440 4388 HidBth - ok

17:50:25.0444 4388 HidIr - ok

17:50:25.0447 4388 hidserv - ok

17:50:25.0451 4388 HidUsb - ok

17:50:25.0455 4388 hkmsvc - ok

17:50:25.0459 4388 HomeGroupListener - ok

17:50:25.0462 4388 HomeGroupProvider - ok

17:50:25.0466 4388 HpSAMD - ok

17:50:25.0479 4388 HTTP - ok

17:50:25.0482 4388 hwpolicy - ok

17:50:25.0486 4388 i8042prt - ok

17:50:25.0492 4388 iaStor - ok

17:50:25.0498 4388 IAStorDataMgrSvc - ok

17:50:25.0502 4388 iaStorV - ok

17:50:25.0506 4388 idsvc - ok

17:50:25.0509 4388 igfx - ok

17:50:25.0513 4388 iirsp - ok

17:50:25.0517 4388 IKEEXT - ok

17:50:25.0523 4388 intelide - ok

17:50:25.0527 4388 intelppm - ok

17:50:25.0530 4388 IPBusEnum - ok

17:50:25.0534 4388 IpFilterDriver - ok

17:50:25.0538 4388 iphlpsvc - ok

17:50:25.0557 4388 IPMIDRV - ok

17:50:25.0561 4388 IPNAT - ok

17:50:25.0564 4388 IRENUM - ok

17:50:25.0568 4388 isapnp - ok

17:50:25.0572 4388 iScsiPrt - ok

17:50:25.0581 4388 IT9135BDA - ok

17:50:25.0588 4388 kbdclass - ok

17:50:25.0592 4388 kbdhid - ok

17:50:25.0595 4388 KeyIso - ok

17:50:25.0599 4388 KMService - ok

17:50:25.0608 4388 KSecDD - ok

17:50:25.0612 4388 KSecPkg - ok

17:50:25.0615 4388 ksthunk - ok

17:50:25.0623 4388 KtmRm - ok

17:50:25.0635 4388 LanmanServer - ok

17:50:25.0639 4388 LanmanWorkstation - ok

17:50:25.0648 4388 lltdio - ok

17:50:25.0656 4388 lltdsvc - ok

17:50:25.0660 4388 lmhosts - ok

17:50:25.0666 4388 LSI_FC - ok

17:50:25.0670 4388 LSI_SAS - ok

17:50:25.0674 4388 LSI_SAS2 - ok

17:50:25.0677 4388 LSI_SCSI - ok

17:50:25.0681 4388 luafv - ok

17:50:25.0699 4388 massfilter - ok

17:50:25.0712 4388 MBAMProtector - ok

17:50:25.0716 4388 MBAMService - ok

17:50:25.0720 4388 Mcx2Svc - ok

17:50:25.0724 4388 megasas - ok

17:50:25.0727 4388 MegaSR - ok

17:50:25.0731 4388 MEIx64 - ok

17:50:25.0735 4388 mi-raysat_3dsmax2012_64 - ok

17:50:25.0744 4388 Microsoft SharePoint Workspace Audit Service - ok

17:50:25.0748 4388 MMCSS - ok

17:50:25.0753 4388 Modem - ok

17:50:25.0756 4388 monitor - ok

17:50:25.0760 4388 mouclass - ok

17:50:25.0763 4388 mouhid - ok

17:50:25.0767 4388 mountmgr - ok

17:50:25.0771 4388 mpio - ok

17:50:25.0775 4388 mpsdrv - ok

17:50:25.0778 4388 MpsSvc - ok

17:50:25.0782 4388 MRxDAV - ok

17:50:25.0787 4388 mrxsmb - ok

17:50:25.0790 4388 mrxsmb10 - ok

17:50:25.0794 4388 mrxsmb20 - ok

17:50:25.0797 4388 msahci - ok

17:50:25.0801 4388 msdsm - ok

17:50:25.0806 4388 MSDTC - ok

17:50:25.0826 4388 Msfs - ok

17:50:25.0830 4388 mshidkmdf - ok

17:50:25.0834 4388 msisadrv - ok

17:50:25.0838 4388 MSiSCSI - ok

17:50:25.0842 4388 msiserver - ok

17:50:25.0845 4388 MSKSSRV - ok

17:50:25.0849 4388 MSPCLOCK - ok

17:50:25.0853 4388 MSPQM - ok

17:50:25.0857 4388 MsRPC - ok

17:50:25.0863 4388 mssmbios - ok

17:50:25.0867 4388 MSTEE - ok

17:50:25.0871 4388 MTConfig - ok

17:50:25.0874 4388 Mup - ok

17:50:25.0884 4388 mysql - ok

17:50:25.0889 4388 napagent - ok

17:50:25.0892 4388 NativeWifiP - ok

17:50:25.0896 4388 NDIS - ok

17:50:25.0899 4388 NdisCap - ok

17:50:25.0904 4388 NdisTapi - ok

17:50:25.0907 4388 Ndisuio - ok

17:50:25.0911 4388 NdisWan - ok

17:50:25.0915 4388 NDProxy - ok

17:50:25.0918 4388 NetBIOS - ok

17:50:25.0926 4388 NetBT - ok

17:50:25.0929 4388 Netlogon - ok

17:50:25.0933 4388 Netman - ok

17:50:25.0941 4388 NetMsmqActivator - ok

17:50:25.0950 4388 NetPipeActivator - ok

17:50:25.0955 4388 netprofm - ok

17:50:25.0959 4388 NetTcpActivator - ok

17:50:25.0962 4388 NetTcpPortSharing - ok

17:50:25.0966 4388 NetworkX - ok

17:50:25.0975 4388 nfrd960 - ok

17:50:25.0979 4388 NlaSvc - ok

17:50:25.0983 4388 nmwcd - ok

17:50:25.0987 4388 nmwcdc - ok

17:50:25.0991 4388 Npfs - ok

17:50:25.0994 4388 nsi - ok

17:50:25.0998 4388 nsiproxy - ok

17:50:26.0004 4388 Ntfs - ok

17:50:26.0007 4388 Null - ok

17:50:26.0011 4388 nusb3hub - ok

17:50:26.0014 4388 nusb3xhc - ok

17:50:26.0019 4388 NVHDA - ok

17:50:26.0022 4388 nvkflt - ok

17:50:26.0033 4388 nvlddmkm - ok

17:50:26.0038 4388 nvpciflt - ok

17:50:26.0041 4388 nvraid - ok

17:50:26.0045 4388 nvstor - ok

17:50:26.0049 4388 NVSvc - ok

17:50:26.0061 4388 nvUpdatusService - ok

17:50:26.0064 4388 nv_agp - ok

17:50:26.0068 4388 ohci1394 - ok

17:50:26.0072 4388 ose - ok

17:50:26.0076 4388 osppsvc - ok

17:50:26.0086 4388 p2pimsvc - ok

17:50:26.0090 4388 p2psvc - ok

17:50:26.0093 4388 Parport - ok

17:50:26.0097 4388 partmgr - ok

17:50:26.0101 4388 PcaSvc - ok

17:50:26.0105 4388 pccsmcfd - ok

17:50:26.0109 4388 pci - ok

17:50:26.0113 4388 pciide - ok

17:50:26.0116 4388 pcmcia - ok

17:50:26.0120 4388 pcw - ok

17:50:26.0124 4388 PEAUTH - ok

17:50:26.0132 4388 PeerDistSvc - ok

17:50:26.0141 4388 PerfHost - ok

17:50:26.0151 4388 pla - ok

17:50:26.0155 4388 PlugPlay - ok

17:50:26.0160 4388 PNRPAutoReg - ok

17:50:26.0164 4388 PNRPsvc - ok

17:50:26.0169 4388 PolicyAgent - ok

17:50:26.0175 4388 Power - ok

17:50:26.0179 4388 PptpMiniport - ok

17:50:26.0183 4388 Processor - ok

17:50:26.0187 4388 ProfSvc - ok

17:50:26.0203 4388 ProgDVBService - ok

17:50:26.0206 4388 ProtectedStorage - ok

17:50:26.0222 4388 Psched - ok

17:50:26.0234 4388 PTSimBus - ok

17:50:26.0238 4388 PTSimHid - ok

17:50:26.0253 4388 PxHlpa64 - ok

17:50:26.0256 4388 ql2300 - ok

17:50:26.0269 4388 ql40xx - ok

17:50:26.0272 4388 QWAVE - ok

17:50:26.0276 4388 QWAVEdrv - ok

17:50:26.0291 4388 RasAcd - ok

17:50:26.0294 4388 RasAgileVpn - ok

17:50:26.0298 4388 RasAuto - ok

17:50:26.0302 4388 Rasl2tp - ok

17:50:26.0306 4388 RasMan - ok

17:50:26.0310 4388 RasPppoe - ok

17:50:26.0313 4388 RasSstp - ok

17:50:26.0317 4388 rdbss - ok

17:50:26.0322 4388 rdpbus - ok

17:50:26.0325 4388 RDPCDD - ok

17:50:26.0331 4388 RDPDR - ok

17:50:26.0335 4388 RDPENCDD - ok

17:50:26.0342 4388 RDPREFMP - ok

17:50:26.0348 4388 RdpVideoMiniport - ok

17:50:26.0352 4388 RDPWD - ok

17:50:26.0356 4388 rdyboost - ok

17:50:26.0359 4388 RemoteAccess - ok

17:50:26.0363 4388 RemoteRegistry - ok

17:50:26.0383 4388 RFCOMM - ok

17:50:26.0397 4388 RpcEptMapper - ok

17:50:26.0400 4388 RpcLocator - ok

17:50:26.0405 4388 RpcSs - ok

17:50:26.0408 4388 rspndr - ok

17:50:26.0412 4388 RSUSBSTOR - ok

17:50:26.0423 4388 RTL8167 - ok

17:50:26.0427 4388 s3cap - ok

17:50:26.0431 4388 SamSs - ok

17:50:26.0434 4388 sbp2port - ok

17:50:26.0439 4388 SCardSvr - ok

17:50:26.0443 4388 scfilter - ok

17:50:26.0446 4388 Schedule - ok

17:50:26.0450 4388 SCPolicySvc - ok

17:50:26.0454 4388 SDRSVC - ok

17:50:26.0458 4388 secdrv - ok

17:50:26.0462 4388 seclogon - ok

17:50:26.0466 4388 SENS - ok

17:50:26.0472 4388 SensrSvc - ok

17:50:26.0493 4388 Sentinel64 - ok

17:50:26.0497 4388 Serenum - ok

17:50:26.0500 4388 Serial - ok

17:50:26.0505 4388 sermouse - ok

17:50:26.0529 4388 ServiceLayer - ok

17:50:26.0539 4388 SessionEnv - ok

17:50:26.0544 4388 sffdisk - ok

17:50:26.0547 4388 sffp_mmc - ok

17:50:26.0551 4388 sffp_sd - ok

17:50:26.0555 4388 sfloppy - ok

17:50:26.0562 4388 SharedAccess - ok

17:50:26.0584 4388 ShellHWDetection - ok

17:50:26.0588 4388 SiSRaid2 - ok

17:50:26.0592 4388 SiSRaid4 - ok

17:50:26.0596 4388 Smb - ok

17:50:26.0606 4388 SNMPTRAP - ok

17:50:26.0610 4388 spldr - ok

17:50:26.0615 4388 Spooler - ok

17:50:26.0620 4388 sppsvc - ok

17:50:26.0624 4388 sppuinotify - ok

17:50:26.0635 4388 srv - ok

17:50:26.0640 4388 srv2 - ok

17:50:26.0644 4388 srvnet - ok

17:50:26.0648 4388 SSDPSRV - ok

17:50:26.0652 4388 SSPORT - ok

17:50:26.0659 4388 SstpSvc - ok

17:50:26.0664 4388 STacSV - ok

17:50:26.0671 4388 Stereo Service - ok

17:50:26.0675 4388 stexstor - ok

17:50:26.0679 4388 STHDA - ok

17:50:26.0683 4388 stisvc - ok

17:50:26.0687 4388 storflt - ok

17:50:26.0695 4388 storvsc - ok

17:50:26.0699 4388 swenum - ok

17:50:26.0715 4388 SwitchBoard - ok

17:50:26.0719 4388 swprv - ok

17:50:26.0735 4388 Synth3dVsc - ok

17:50:26.0740 4388 SysMain - ok

17:50:26.0755 4388 Tablet2k - ok

17:50:26.0759 4388 TabletInputService - ok

17:50:26.0763 4388 TapiSrv - ok

17:50:26.0767 4388 TBS - ok

17:50:26.0772 4388 TClass2k - ok

17:50:26.0781 4388 Tcpip - ok

17:50:26.0785 4388 TCPIP6 - ok

17:50:26.0808 4388 tcpipreg - ok

17:50:26.0813 4388 TDPIPE - ok

17:50:26.0817 4388 TDTCP - ok

17:50:26.0822 4388 tdx - ok

17:50:26.0837 4388 teamviewervpn - ok

17:50:26.0841 4388 TermDD - ok

17:50:26.0846 4388 terminpt - ok

17:50:26.0850 4388 TermService - ok

17:50:26.0855 4388 Themes - ok

17:50:26.0859 4388 THREADORDER - ok

17:50:26.0863 4388 TrkWks - ok

17:50:26.0867 4388 TrustedInstaller - ok

17:50:26.0874 4388 tssecsrv - ok

17:50:26.0878 4388 TsUsbFlt - ok

17:50:26.0881 4388 TsUsbGD - ok

17:50:26.0886 4388 tsusbhub - ok

17:50:26.0890 4388 tunnel - ok

17:50:26.0895 4388 TurboB - ok

17:50:26.0899 4388 TurboBoost - ok

17:50:26.0903 4388 uagp35 - ok

17:50:26.0918 4388 UCTblHid - ok

17:50:26.0922 4388 udfs - ok

17:50:26.0930 4388 UI Assistant Service - ok

17:50:26.0935 4388 UI0Detect - ok

17:50:26.0939 4388 uliagpkx - ok

17:50:26.0943 4388 umbus - ok

17:50:26.0947 4388 UmPass - ok

17:50:26.0951 4388 UmRdpService - ok

17:50:26.0956 4388 upnphost - ok

17:50:26.0966 4388 upperdev - ok

17:50:26.0971 4388 usbccgp - ok

17:50:26.0974 4388 usbcir - ok

17:50:26.0984 4388 usbehci - ok

17:50:26.0989 4388 usbhub - ok

17:50:26.0993 4388 usbohci - ok

17:50:26.0997 4388 usbprint - ok

17:50:27.0001 4388 usbser - ok

17:50:27.0006 4388 UsbserFilt - ok

17:50:27.0009 4388 USBSTOR - ok

17:50:27.0013 4388 usbuhci - ok

17:50:27.0017 4388 usbvideo - ok

17:50:27.0022 4388 UxSms - ok

17:50:27.0026 4388 VaultSvc - ok

17:50:27.0030 4388 vdrvroot - ok

17:50:27.0034 4388 vds - ok

17:50:27.0038 4388 vga - ok

17:50:27.0042 4388 VgaSave - ok

17:50:27.0046 4388 VGPU - ok

17:50:27.0051 4388 vhdmp - ok

17:50:27.0055 4388 viaide - ok

17:50:27.0059 4388 vmbus - ok

17:50:27.0088 4388 VMBusHID - ok

17:50:27.0092 4388 volmgr - ok

17:50:27.0096 4388 volmgrx - ok

17:50:27.0100 4388 volsnap - ok

17:50:27.0105 4388 vpcbus - ok

17:50:27.0109 4388 vpcnfltr - ok

17:50:27.0116 4388 vpcusb - ok

17:50:27.0121 4388 vpcvmm - ok

17:50:27.0125 4388 vsmraid - ok

17:50:27.0129 4388 VSS - ok

17:50:27.0133 4388 vwifibus - ok

17:50:27.0153 4388 vwififlt - ok

17:50:27.0169 4388 vwifimp - ok

17:50:27.0173 4388 W32Time - ok

17:50:27.0180 4388 WacomPen - ok

17:50:27.0184 4388 WANARP - ok

17:50:27.0188 4388 Wanarpv6 - ok

17:50:27.0194 4388 WatAdminSvc - ok

17:50:27.0199 4388 wbengine - ok

17:50:27.0203 4388 WbioSrvc - ok

17:50:27.0207 4388 wcncsvc - ok

17:50:27.0220 4388 WcsPlugInService - ok

17:50:27.0225 4388 Wd - ok

17:50:27.0229 4388 Wdf01000 - ok

17:50:27.0233 4388 WdiServiceHost - ok

17:50:27.0238 4388 WdiSystemHost - ok

17:50:27.0242 4388 WebClient - ok

17:50:27.0246 4388 Wecsvc - ok

17:50:27.0251 4388 wercplsupport - ok

17:50:27.0256 4388 WerSvc - ok

17:50:27.0271 4388 WfpLwf - ok

17:50:27.0275 4388 WIMMount - ok

17:50:27.0279 4388 WinDefend - ok

17:50:27.0289 4388 WinHttpAutoProxySvc - ok

17:50:27.0305 4388 Winmgmt - ok

17:50:27.0321 4388 WinRM - ok

17:50:27.0335 4388 WinTabService - ok

17:50:27.0339 4388 WinUsb - ok

17:50:27.0343 4388 Wlansvc - ok

17:50:27.0348 4388 WmiAcpi - ok

17:50:27.0354 4388 wmiApSrv - ok

17:50:27.0359 4388 WMPNetworkSvc - ok

17:50:27.0370 4388 WorkshopDBService - ok

17:50:27.0374 4388 WPCSvc - ok

17:50:27.0378 4388 WPDBusEnum - ok

17:50:27.0382 4388 ws2ifsl - ok

17:50:27.0387 4388 wscsvc - ok

17:50:27.0391 4388 WSearch - ok

17:50:27.0397 4388 wuauserv - ok

17:50:27.0402 4388 WudfPf - ok

17:50:27.0406 4388 WUDFRd - ok

17:50:27.0410 4388 wudfsvc - ok

17:50:27.0414 4388 WwanSvc - ok

17:50:27.0421 4388 ZTEusbmdm6k - ok

17:50:27.0426 4388 ZTEusbnmea - ok

17:50:27.0431 4388 ZTEusbser6k - ok

17:50:27.0485 4388 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0

17:50:28.0357 4388 \Device\Harddisk0\DR0 - ok

17:50:28.0358 4388 ============================================================

17:50:28.0358 4388 Scan finished

17:50:28.0358 4388 ============================================================

17:50:28.0365 2236 Detected object count: 0

17:50:28.0365 2236 Actual detected object count: 0

17:54:55.0445 3384 Deinitialize success

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

aswMBR.exe - също нищо :) Ето лог:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-04-05 17:51:46

-----------------------------

17:51:46.367 OS Version: Windows x64 6.1.7601 Service Pack 1

17:51:46.368 Number of processors: 2 586 0x2A07

17:51:46.369 ComputerName: PROKOPIEFF UserName:

17:51:50.100 Initialize success

17:51:50.891 AVAST engine defs: 12040500

17:51:55.762 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

17:51:55.764 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 3

17:51:55.779 Disk 0 MBR read successfully

17:51:55.782 Disk 0 MBR scan

17:51:55.803 Disk 0 Windows 7 default MBR code

17:51:55.806 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63

17:51:55.819 Disk 0 Partition 2 00 42 SFS 0 MB offset 80325

17:51:55.826 Disk 0 Partition 3 80 (A) 42 SFS NTFS 100 MB offset 81920

17:51:55.839 Disk 0 Partition 4 00 42 SFS NTFS 150340 MB offset 286720

17:51:55.843 Disk 0 scanning C:\Windows\system32\drivers

17:51:55.845 Service scanning

17:52:18.839 Service Tablet2k C:\Windows\"%SystemRoot%\System32\Drivers\Tablet2k.sys" **LOCKED** 123

17:52:24.116 Modules scanning

17:52:24.122 Disk 0 trace - called modules:

17:52:24.139 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll

17:52:24.143 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80057e8760]

17:52:24.147 3 CLASSPNP.SYS[fffff88001b9243f] -> nt!IofCallDriver -> [0xfffffa80049db800]

17:52:24.151 5 ACPI.sys[fffff88000d627a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80049e2050]

17:52:24.577 AVAST engine scan C:\

17:52:24.581 Scan finished successfully

17:52:47.290 Disk 0 MBR has been saved successfully to "C:\Users\Nikolay.Prokopieff\Desktop\MBR.dat"

17:52:47.295 The log file has been saved successfully to "C:\Users\Nikolay.Prokopieff\Desktop\aswMBR.txt"

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Farbar Service Scanner

arbar Service Scanner Version: 01-03-2012

Ran by Nikolay.Prokopieff (administrator) on 05-04-2012 at 17:53:26

Running from "C:\Users\Nikolay.Prokopieff\Downloads"

Microsoft Windows 7 Ultimate Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

OTl.exe - лог файловете са приложени.

Благодаря за отделеното време и лека работа!!!!

OTL.Txt

Extras.Txt

Редактирано от me4000 (преглед на промените)

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

  • Стартирайте файла Публикувано изображение с двукратен клик на мишката.
  • Под Публикувано изображение с Copy/ Paste въведете изцяло следната текстова информация (само това, което е поставено в карето):
:OTL
SRV - [2011.07.04 14:51:41 | 000,008,192 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysWOW64\srvany.exe -- (KMService)
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
IE - HKU\S-1-5-21-243002880-2808142859-1455790081-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
[2012.04.04 22:55:05 | 000,003,496 | ---- | M] () -- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
[2012.04.04 22:55:11 | 000,003,496 | ---- | M] () -- C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
[2012.04.04 22:54:56 | 000,002,632 | -HS- | M] () MD5=F16C94B6CB9A03A663617DBACC906C04 -- C:\Windows\assembly\tmp\loader.tlb
[2012.04.04 22:18:40 | 000,002,048 | ---- | M] () MD5=D882A1FAB301AC161494FF650557AE0A -- C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
@Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:F46D2E85
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:960C67A0
:commands
[emptytemp]
След като въведете скрипта от цитата по-горе натиснете бутона, маркиран в червено: Run Fix

Windows ще се рестартира и ще се създаде лог файл - OTL fix log. Публикувайте съдържанието му с Copy/Paste в следващия си коментар.

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Готово. Ето го лог-а: All processes killed ========== OTL ========== Service KMService stopped successfully! Service KMService deleted successfully! C:\Windows\SysWOW64\srvany.exe moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found. Registry key HKEY_USERS\S-1-5-21-243002880-2808142859-1455790081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found. C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb moved successfully. C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb moved successfully. C:\Windows\assembly\tmp\loader.tlb moved successfully. C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} moved successfully. ADS C:\ProgramData\TEMP:F46D2E85 deleted successfully. ADS C:\ProgramData\TEMP:960C67A0 deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Ani.Prokopieva ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33237 bytes ->Flash cache emptied: 56468 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 56468 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Nikolay.Prokopieff ->Temp folder emptied: 18072059 bytes ->Temporary Internet Files folder emptied: 2430079 bytes ->Java cache emptied: 60838 bytes ->FireFox cache emptied: 53690087 bytes ->Google Chrome cache emptied: 0 bytes ->Flash cache emptied: 57294 bytes User: NIKOLA~1~PRO ->Temp folder emptied: 0 bytes

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

СТЪПКА 1

ГОЛЯМОТО ПОЧИСТВАНЕ:

Деинсталирайте Combofix:

Натиснете Start => в полето за търсене въведете командата Combofix /Uninstall (има празно място между Combofix и /Uninstall) и натиснете Enter.

Публикувано изображение

Деинсталирайте OTL:

Стартирайте OTL още веднъж и натиснете бутона CleanUp.

Публикувано изображение

Ще последва рестарт на Windows.

Изтрийте ръчно всички инструменти и логове, които не са се изтрили при гореспоменатите процедури.

СТЪПКА 2

ОБНОВЯВАНЕ НА ПРОГРАМИТЕ:

Обновете и всички старти и уязвими програми със Secunia Personal Inspector (изтеглете и сканирайте с инструмента и обновете всички стари програми).

Поздрави и приятно сърфиране !

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Благодаря!!!!

Май малко прибързах с радостта- malware постоянно блокира 93.186.123.200 от outgoing / utorrent.exe

http://www.projectho..._93.186.123.200

и още две подобни IP-та. Може би това е нормално?

Редактирано от me4000 (преглед на промените)

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Защо си мислите, че ще е от malware ?

Вижте си настройките на стената по-скоро.

93.186.123.200 е IP от Турция ? Там ли сте в момента ?

Изтеглете MiniToolBox.exe и го запазете на десктопа.

Сложете отметка пред всички обекти и натиснете Go.

Копирайте съдържанието на файла Result.txt в следващия си пост.

1.Изтеглете Hitman Pro.

  • За 64-битова система - Публикувано изображение
2.Стартирайте програмата.

3.След като сте стартирали програмата натиснете бутона „Напред“.

4.Сложете отметка пред "Не, искам да завърша еднократно сканиране на компютъра".

5.Натиснете бутона „Напред“.

6.Програмата ще започне да сканира. Времето за сканиране е около 2 минути.

7.След завършване на сканирането натиснете "Изнеси резултата в XML file".

8.Архивирайте файла и го прикачете в следващия си коментар.

  • Изтеглете yorkyt.exe и го запазете на десктопа.
  • Стартирайте файла и рестартирайте компютъра за да се инсталира драйвъра.
  • След края на проверката може да се наложи нов рестарт за завършване на почистването.
  • Ще се създаде лог файл.
  • Прикачете го към коментара си в следващия си пост.

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Намерих отговор на въпроса тук: http://forums.malwarebytes.org/index.php?showtopic=102052 Благодаря отново за отделеното време, тъй като логовете са чисти - няма да ги публикувам! Лека вечер!

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Хаха...да бяхте казали, че MBAM или Malwarebytes блокира тези изходящи връзки... Аз разбрах от написаното, че malware-a (т.е. гадината го блокира)... :) Маркирам случая като решен. Лека вечер и безопасно сърфиране !

Сподели този отговор


Линк към този отговор
Сподели в други сайтове

Регистрирайте се или влезете в профила си за да коментирате

Трябва да имате регистрация за да може да коментирате това

Регистрирайте се

Създайте нова регистрация в нашия форум. Лесно е!

Нова регистрация

Вход

Имате регистрация? Влезте от тук.

Вход

×

Информация

Поставихме бисквитки на устройството ви за най-добро потребителско изживяване. Можете да промените настройките си за бисквитки, или в противен случай приемаме, че сте съгласни с нашите условия за ползване.