Премини към съдържанието
От 1-ви септември 2021 г., вход във форумите ще е възможен само с имейл адрес вместо потребителско име. Ако не помните имейла с който сте се регистрирали, вижте го в настройките на профила си. ×
  • Добре дошли!

    Добре дошли в нашите форуми, пълни с полезна информация. Имате проблем с компютъра или телефона си? Публикувайте нова тема и ще намерите решение на всичките си проблеми. Общувайте свободно и открийте безброй нови приятели.

    Моля, регистрирайте се за да публикувате тема и да получите пълен достъп до всички функции.

     

Съмнения за остатъци от Гадини насадени от програма...


Препоръчан отговор


Добър ден. От доста време не бях писал тук.

Вчера от интерес се загледах в https://www.kaldata.com/comments.php?catid=1&id=94932 програмата на линка и въпреки че доста добре се загледах какво точно инсталирам тя успя да ми набута гадини. Въпросната гадина набутва адуери към фалшиви сайтове за изтегляне на софтуер за драйвъри и разни такива...

Унищожих цялата база данни на системния дял чрез Parted Magic Live CD ползвайки метод с унищожаване на дяловете с писане на нули по секторно, след което Възстанових копие на операционната система направено и съхранявано на външен носител с инструмента Clonezilla. Не съм сигурен дали след тази манипулация по системния дял или по други дялове на хард диска няма загнездени остатъци от въпросната гадина. Ще  помоля понеже планирам миграция на Операционната система на SSD направиме проверка на дяловете за зловреден софтуер и вируси. Благодаря предварително.

Предоставям 2та файла нужни за анализ както е описано в темата - Системата ми е заразена...

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-10-2014
Ran by Administrator (administrator) on WIN-4AAHUATPTSH on 30-10-2014 15:20:06
Running from C:\Users\Administrator\Desktop
Loaded Profile: Administrator (Available profiles: Administrator)
Platform: Windows 8.1 Pro (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Stardock Software, Inc) C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Stardock Software, Inc) C:\Program Files (x86)\Stardock\Start8\Start8_64.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Mozilla Corporation) C:\Program Files\Cyberfox\Cyberfox.exe
() C:\Program Files\qBittorrent (x64 Edition)\qbittorrent.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-09-15] (Advanced Micro Devices, Inc.)
ShellIconOverlayIdentifiers: [storageProviderError] -> {0CA2640D-5B9C-4c59-A5FB-2DA61A7437CF} => C:\Windows\System32\shell32.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [storageProviderSyncing] -> {0A30F902-8398-4ee8-86F7-4CFB589F04D1} => C:\Windows\System32\shell32.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [storageProviderError] -> {0CA2640D-5B9C-4c59-A5FB-2DA61A7437CF} => C:\Windows\SysWOW64\shell32.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [storageProviderSyncing] -> {0A30F902-8398-4ee8-86F7-4CFB589F04D1} => C:\Windows\SysWOW64\shell32.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x2A61AB3B81FDCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = bg-BG
Tcpip\Parameters: [DhcpNameServer] 46.40.72.13 46.40.72.9

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default
FF NewTab: about:blank
FF NetworkProxy: "user_pref("extensions.preferencesmonitor.revonstrg", "{\"extensions.autoDisableScopes\":15,\"general.useragent.compatMode.firefox\":false,\"browser.newtab.url\":\"about:newtab\",\"browser.startup.homepage\":\"chrome://branding/locale/browserconfig.properties\",\"general.useragent.enable_overrides\":false,\"general.useragent.site_specific_overrides\":true,\"general.useragent.locale\":\"en-US\",\"network.proxy.autoconfig_url\":\"\",\"browser.startup.page\":1,\"keyword.enabled\":true,\"browser.newtab.preload\":true}");
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Extension: MinimizeToTray revived (MinTrayR) - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: LastPass - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: SearchPreview - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6} [2014-07-27]
FF Extension: Cleanest Addon Manager - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Charset Switcher - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Clear Fields - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Element Hiding Helper for Adblock Plus - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: FindBar Tweak - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: OmniSidebar - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Page Info Button - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Restart My Fox - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Scroll to Top/Bottom - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: switch-to-tab Blacklist fixed by Koletzfeller - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Yes popups - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\[email protected] [2014-07-27]
FF Extension: Preferences Monitor - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{517f9e52-c795-4764-bf77-5e2db596cee6}.xpi [2014-07-27]
FF Extension: SmoothWheel (mozdev.org) - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}.xpi [2014-07-27]
FF Extension: Secure Sanitizer - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{7e69e900-c32e-11db-8314-0800200c9a66}.xpi [2014-07-27]
FF Extension: FfChrome - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{9bc51d13-3849-4541-a69c-da418934ca05}.xpi [2014-07-27]
FF Extension: BetterPrivacy - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2014-07-27]
FF Extension: Adblock Edge - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-07-27]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
S3 KeyIso; C:\Windows\SysWOW64\keyiso.dll [44032 2013-08-22] (Microsoft Corporation)
S3 lfsvc; C:\Windows\SysWOW64\GeofenceMonitorService.dll [357376 2013-08-22] (Microsoft Corporation)
S3 Netlogon; C:\Windows\SysWOW64\netlogon.dll [688640 2013-08-22] (Microsoft Corporation)
S3 smphost; C:\Windows\SysWOW64\smphost.dll [11776 2013-08-22] (Microsoft Corporation)
R2 Start8; C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe [142960 2013-03-19] (Stardock Software, Inc)
S3 StorSvc; C:\Windows\SysWOW64\storsvc.dll [18944 2013-08-22] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-23] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [223232 2014-06-21] (Advanced Micro Devices)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R3 RTL8023x64; C:\Windows\system32\DRIVERS\Rtnic64.sys [51712 2013-06-18] (Realtek Semiconductor Corporation                           )
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
S4 WinDivert1.1; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-30 15:20 - 2014-10-30 15:20 - 00010478 _____ () C:\Users\Administrator\Desktop\FRST.txt
2014-10-30 15:19 - 2014-10-30 15:20 - 00000000 ____D () C:\FRST
2014-10-30 15:19 - 2014-10-30 15:19 - 02113536 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2014-10-30 15:02 - 2014-10-30 15:02 - 00000968 _____ () C:\Users\Public\Desktop\qBittorrent (x64 Edition).lnk
2014-10-30 15:02 - 2014-10-30 15:02 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\qBittorrent
2014-10-30 15:02 - 2014-10-30 15:02 - 00000000 ____D () C:\Users\Administrator\AppData\Local\qBittorrent
2014-10-30 15:02 - 2014-10-30 15:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qBittorrent (x64 Edition)
2014-10-30 15:02 - 2014-10-30 15:02 - 00000000 ____D () C:\Program Files\qBittorrent (x64 Edition)
2014-10-30 11:55 - 2014-10-30 11:55 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\ATI
2014-10-30 11:55 - 2014-10-30 11:55 - 00000000 ____D () C:\Users\Administrator\AppData\Local\ATI
2014-10-30 11:55 - 2014-10-30 11:55 - 00000000 ____D () C:\ProgramData\ATI
2014-10-30 11:54 - 2014-10-30 11:54 - 00056548 _____ () C:\Windows\SysWOW64\CCCInstall_201410301154360897.log
2014-10-30 11:54 - 2014-10-30 11:54 - 00000000 ____D () C:\Windows\LastGood.Tmp
2014-10-30 11:54 - 2014-10-30 11:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2014-10-30 11:54 - 2014-10-30 11:54 - 00000000 ____D () C:\Program Files\Common Files\ATI Technologies
2014-10-30 11:54 - 2014-10-30 11:54 - 00000000 ____D () C:\Program Files (x86)\ATI Technologies
2014-10-30 11:54 - 2014-10-30 11:54 - 00000000 ____D () C:\Program Files (x86)\AMD AVT
2014-10-30 11:54 - 2014-10-30 11:54 - 00000000 _____ () C:\Windows\ativpsrm.bin
2014-10-30 11:53 - 2014-10-30 11:53 - 00000000 ____D () C:\Program Files\ATI Technologies
2014-10-30 11:53 - 2014-10-30 11:53 - 00000000 ____D () C:\Program Files\ATI
2014-10-30 11:52 - 2014-10-30 11:52 - 00000000 ____D () C:\AMD
2014-10-30 11:51 - 2014-10-30 11:54 - 00000824 _____ () C:\Windows\setupact.log
2014-10-30 11:51 - 2014-10-30 11:51 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-30 11:50 - 2014-10-30 11:50 - 01157563 _____ (Igor Pavlov) C:\Users\Administrator\Desktop\DDU v13.4.2.2.exe
2014-10-30 11:50 - 2014-10-30 11:50 - 00000000 ____D () C:\Users\Administrator\Desktop\DDU v13.4.2.2
2014-10-30 11:49 - 2014-10-30 11:49 - 286582040 _____ (AMD Inc.) C:\Users\Administrator\Desktop\amd-catalyst-14-9-win7-win8.1-64bit-dd-ccc-whql.exe
2014-10-30 08:58 - 2014-10-30 12:00 - 00009140 _____ () C:\Windows\WindowsUpdate.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-30 14:00 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\sru
2014-10-30 12:05 - 2013-12-20 11:45 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1132210162-3808936593-1132242557-500
2014-10-30 11:59 - 2013-12-20 11:44 - 00863592 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-30 11:55 - 2013-08-22 16:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-30 11:51 - 2014-01-18 17:29 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Skype
2014-10-30 11:51 - 2013-08-22 15:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2014-10-30 10:54 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\LiveKernelReports

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-30 09:31

==================== End Of Log ============================

 

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-10-2014
Ran by Administrator at 2014-10-30 15:20:27
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AMD Catalyst Install Manager (HKLM\...\{C2956908-53A3-88FC-B795-B16508296FC4}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.09 - Piriform)
Cyberfox Web Browser (HKLM\...\{5EFB52C0-4EC9-46B4-80EB-8432C6599641}_is1) (Version: 26.0.0.0 - 8pecxstudios)
Daum PotPlayer 1.5.44465 x64 Edition (HKLM\...\PotPlayer64) (Version:  - )
foobar2000 v1.3.3 (HKLM-x32\...\foobar2000) (Version: 1.3.3 - Peter Pawlowski)
HaoZip (HKLM\...\HaoZip) (Version: v3.0 - Ruichuang Network Technology Co.,Ltd)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Microsoft Games for Windows 8 x64 (HKLM\...\{B6047A78-062F-4C6F-A82D-B94DAF72FB73}) (Version: 1.2 - Microsoft)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
qBittorrent (x64 Edition) version 3.1.10 (HKLM\...\{2589239E-DCDD-4F29-960B-DE40C1AC0CDD}_is1) (Version: 3.1.10 - The qBittorrent project)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.21.909.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7076 - Realtek Semiconductor Corp.)
Skype™ 6.18 (HKLM-x32\...\{1845470B-EB14-4ABC-835B-E36C693DC07D}) (Version: 6.18.105 - Skype Technologies S.A.)
Stardock Start8 (HKLM\...\Start8_is1) (Version: 1.31 - Stardock Software, Inc.)
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2014-07-27 11:42 - 00000980 ____A C:\Windows\system32\Drivers\etc\hosts
    127.0.0.1 rad.msn.com
    127.0.0.1 apps.skype.com
    127.0.0.1 ui.skype.com
    127.0.0.1 metrics.skype.com

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {035792A1-D4EF-4A78-BF9A-AA9628C281A3} - System32\Tasks\Microsoft\Windows\Setup\SetupCleanupTask
Task: {05293577-D647-4185-B859-C94839A0B2E3} - System32\Tasks\Microsoft\Windows\SettingSync\NetworkStateChangeTask
Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {2085BF56-520D-4951-B7C0-DF34AF90CC6A} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {2C9C0C6C-2A74-46F2-858A-4389D253EAD0} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\Windows\System32\AutoWorkplace.exe [2013-08-22] (Microsoft Corporation)
Task: {3B6D8A73-F20B-4C93-B8FB-56A154F172D2} - System32\Tasks\Microsoft\Windows\Time Zone\SynchronizeTimeZone => C:\Windows\system32\tzsync.exe [2013-08-22] (Microsoft Corporation)
Task: {49754026-21E1-41FC-94FD-727AFE414FE7} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance
Task: {6AA91E8C-DDBD-4979-8464-4062F7681A19} - System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup
Task: {6DFCB649-0769-4F83-BB10-F60F235F6D3D} - System32\Tasks\Microsoft\Windows\SkyDrive\Idle Sync Maintenance Task
Task: {73B1B253-CE67-4501-AE1A-377DD1D68B65} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {77F1D869-6E65-4079-A2A0-E2023408EF97} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {7B12F6F7-CD64-49A9-989C-D74A8478EE8B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-12-17] (Piriform Ltd)
Task: {872D0E53-FD2E-41E3-B431-698AF82882CE} - System32\Tasks\Microsoft\Windows\SkyDrive\Routine Maintenance Task
Task: {8CC813C9-712A-41EF-9512-B233444FC669} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup => Rundll32.exe %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask
Task: {9FF4C139-5234-410C-B7FA-23EE2FD2AB53} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Maintenance Work
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - System32\Tasks\Microsoft\Windows\SettingSync\BackupTask
Task: {D88FEC9E-A82A-46F9-87E2-B6B97B301C1A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {DA46820F-FF8A-4B5E-A6B2-B12185DCFFFB} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Logon Synchronization
Task: {E6D378FA-E068-4BCB-80DE-56D43A249507} - System32\Tasks\Microsoft\Windows\RecoveryEnvironment\VerifyWinRE

==================== Loaded Modules (whitelisted) =============

2013-12-20 14:50 - 2013-12-12 10:16 - 04374184 _____ () C:\Program Files\Cyberfox\mozjs.dll
2014-07-27 11:15 - 2014-02-27 00:36 - 01267200 _____ () C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\extensions\[email protected]\platform\WINNT_x86_64-msvc\components\lpxpcom_x86_64.dll
2014-07-27 11:15 - 2012-11-21 06:26 - 00010240 _____ () C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\09htf8tt.default\extensions\[email protected]\lib\tray_x86_64-msvc.dll
2014-10-30 15:02 - 2014-09-22 13:10 - 07291904 _____ () C:\Program Files\qBittorrent (x64 Edition)\qbittorrent.exe
2014-10-30 15:02 - 2014-09-22 13:00 - 03103744 _____ () C:\Program Files\qBittorrent (x64 Edition)\torrent.dll
2014-10-30 15:02 - 2014-08-16 15:09 - 00019456 _____ () C:\Program Files\qBittorrent (x64 Edition)\boost_system.dll
2013-12-20 11:45 - 2013-09-16 12:17 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1132210162-3808936593-1132242557-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-1132210162-3808936593-1132242557-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (10/30/2014 11:53:59 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\AMD\AMD-Catalyst-14-9-win7-win8.1-64Bit-dd-ccc-whql\Packages\Apps\VC12RTx64\vcredist_x64\vcredist_x64.exe  /q /norestart; Description = Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727; Error = 0x8007043c).

Error: (10/30/2014 11:53:52 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\AMD\AMD-Catalyst-14-9-win7-win8.1-64Bit-dd-ccc-whql\Packages\Apps\VC12RTx86\vcredist_x86\vcredist_x86.exe  /q /norestart; Description = Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727; Error = 0x8007043c).

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[c1dd6196-3165-4b0b-b7f7-360b2527ddfa]\Users\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[bd6961b4-c57a-4773-ba25-d50762e70783]\Users\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[6a4421a2-dbab-45c4-96b4-339075af8baa]\Users\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[27ef6997-920f-44f0-8f32-ef9956e878a1]\Users\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[c1dd6196-3165-4b0b-b7f7-360b2527ddfa]\ProgramData\Microsoft\Windows\Start Menu\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[bd6961b4-c57a-4773-ba25-d50762e70783]\ProgramData\Microsoft\Windows\Start Menu\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[6a4421a2-dbab-45c4-96b4-339075af8baa]\ProgramData\Microsoft\Windows\Start Menu\">.

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80004005, "file:///C:\[27ef6997-920f-44f0-8f32-ef9956e878a1]\ProgramData\Microsoft\Windows\Start Menu\">.


System errors:
=============
Error: (10/30/2014 00:07:00 PM) (Source: DCOM) (EventID: 10010) (User: WIN-4AAHUATPTSH)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (10/30/2014 00:06:29 PM) (Source: DCOM) (EventID: 10010) (User: WIN-4AAHUATPTSH)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (10/30/2014 11:55:32 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The UAC File Virtualization service failed to start due to the following error:
%%1275

Error: (10/30/2014 11:55:11 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

Error: (10/30/2014 11:51:40 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The UAC File Virtualization service failed to start due to the following error:
%%1275

Error: (10/30/2014 11:51:30 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

Error: (10/30/2014 11:50:36 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PAExec service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (10/30/2014 10:58:28 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.


Microsoft Office Sessions:
=========================
Error: (10/30/2014 11:53:59 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\AMD\AMD-Catalyst-14-9-win7-win8.1-64Bit-dd-ccc-whql\Packages\Apps\VC12RTx64\vcredist_x64\vcredist_x64.exe  /q /norestartMicrosoft Visual C++ 2012 Redistributable (x64) - 11.0.507270x8007043c

Error: (10/30/2014 11:53:52 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\AMD\AMD-Catalyst-14-9-win7-win8.1-64Bit-dd-ccc-whql\Packages\Apps\VC12RTx86\vcredist_x86\vcredist_x86.exe  /q /norestartMicrosoft Visual C++ 2012 Redistributable (x86) - 11.0.507270x8007043c

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[c1dd6196-3165-4b0b-b7f7-360b2527ddfa]\Users\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[bd6961b4-c57a-4773-ba25-d50762e70783]\Users\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[6a4421a2-dbab-45c4-96b4-339075af8baa]\Users\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[27ef6997-920f-44f0-8f32-ef9956e878a1]\Users\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[c1dd6196-3165-4b0b-b7f7-360b2527ddfa]\ProgramData\Microsoft\Windows\Start Menu\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[bd6961b4-c57a-4773-ba25-d50762e70783]\ProgramData\Microsoft\Windows\Start Menu\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[6a4421a2-dbab-45c4-96b4-339075af8baa]\ProgramData\Microsoft\Windows\Start Menu\

Error: (10/30/2014 08:58:54 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 300x80004005file:///C:\[27ef6997-920f-44f0-8f32-ef9956e878a1]\ProgramData\Microsoft\Windows\Start Menu\


==================== Memory info ===========================

Processor: Intel® Pentium® CPU G3420 @ 3.20GHz
Percentage of memory in use: 18%
Total physical RAM: 8138.5 MB
Available physical RAM: 6641.57 MB
Total Pagefile: 8138.5 MB
Available Pagefile: 6223.21 MB
Total Virtual: 131072 MB
Available Virtual: 131071.8 MB

==================== Drives ================================

Drive c: ([W8-1-Pro]) (Fixed) (Total:82.76 GB) (Free:71.69 GB) NTFS
Drive d: ([Arc01]) (Fixed) (Total:385 GB) (Free:319.07 GB) NTFS
Drive e: ([Dwnld]) (Fixed) (Total:387.66 GB) (Free:346.84 GB) NTFS
Drive f: ([Deep][Arc]) (Fixed) (Total:55 GB) (Free:9.99 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 3C02293F)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=82.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=385 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=463.4 GB) - (Type=05)

==================== End Of Log ============================

 

 

Пействам файла защото е прекалено голям според файловата система на форума за да бъде прикачен по стандартния начин. Моля нека да прегледаме системата преди да се реша дали да я мигрирам на ССД или не. И Ако трябва да се вземат мерки за изчистване на вируси в нея да се направи именно това преди да поставя ССД и да инсталирам на него на чисто операционна система.

 

Операционната система която искам да провериме е Windows 8.1

Линк към коментара
Сподели в други сайтове

Здравейте,

 

От предоставените дневници не се виждат активни зарази.

 

Все пак да проверим:

 

 

СТЪПКА 1

 

  • Моля изтеглете Malwarebytes Anti-Malware 2.0.3.1025 Final и я запазете на вашия десктоп.
  • Стартирайте файла mbam-setup-2.0.2.1012.exe и следвайте указанията за да инсталирате програмата.
  • След като инсталацията приключи се уверете че сте сложили отметка пред:
  • Launch Malwarebytes Anti-Malware
  • Отметката активираща пробния 14 дневен период също е маркиран по-подразбиране. Ако не желаете да тествате защитата в реално време на програмата през следващите 14 дни тогава премахнете отметката.
  • Натиснете бутона Finish.
  • Отидете до табът Settings > Detection and Protection > и под категорията Detection Options включете опцията "Scan for rootkits".
  • Отидете до табът Scan, сложете радио-бутона пред Threat Scan и след това натиснете бутона Scan Now >> . Ако е намерена актуализация тогава натиснете бутона Update Now.
  • Ще започне проверка за зловреден софтуер.
  • При някои инфекции можете да видите съобщението:
  • "Could not load DDA driver"
  • Натиснете "Yes" на това съобщение за да позволите драйвера да се зареди след рестарт.
  • Разрешете на компютъра да се рестартира и след това продължете с останалите инструкции.
  • След като проверката приключи натиснете бутона Apply Actions.
  • Изчакайте да се появи прозореца подканващ ви да рестартирате и след това натиснете бутона Yes.
  • След рестарта, когато се появи десктопа MBAM ще се зареди още веднъж.
  • Отидете то табът History > Application Logs.
  • Отворете рапорта с последната дата и час и натиснете бутона "Copy to Clipboard"
  • Сега вече поставете съдържанието на лог файла с клавишната комбинация Ctrl + V и го публикувайте в следващия си коментар.


     

    СТЪПКА 2


     

     
    1.Изтеглете Hitman Pro.
    За 32-битова система - dEMD6.gif.
    За 64-битова система - Download-button3.gif


    2.Стартирайте програмата.

    3.След като сте стартирали програмата като кликнете върху иконата 5vo5F.jpg и натиснете бутона „Напред“ като се съгласите с лицензионното споразумение (EULA).

    4.Сложете отметка пред "Не, искам да завърша еднократно сканиране на компютъра".

    5.Натиснете бутона „Напред“.

    6.Програмата ще започне да сканира. Времето за сканиране е около 2 минути.

    7.След завършване на сканирането от списъка с намерените неща (ако има такива) изберете Apply to all => Ignore.

    8.Натиснете "Next" и след това натиснете "Изнеси резултата в XML file" и запазете лог файла на десктопа.

    9.Архивирайте файла и го прикачете в следващия си коментар или копирайте съдържанието му в следващия си коментар.
     
    Забележка: Ако няма падащо меню, където да изберете ignore както на снимката:
     
    6-scanfin-choose.jpg
     
    Тогава просто затворете програмата след края на проверката (без да премахвате нищо)...след това отворете C:ProgramdataHitmanProLogs, отворете и публикувайте съдържанието на лог файла в следващия си коментар.
Линк към коментара
Сподели в други сайтове

Логовете които ви интересуват:

 

HitmanPro 3.7.9.232
www.hitmanpro.com

   Computer name . . . . : WIN-4AAHUATPTSH
   Windows . . . . . . . : 6.3.0.9600.X64/2
   User name . . . . . . : WIN-4AAHUATPTSH\Administrator
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2014-11-04 09:19:57
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 20s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 0

   Objects scanned . . . : 920,841
   Files scanned . . . . : 10,335
   Remnants scanned  . . : 119,882 files / 790,624 keys
 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2014 Nov 03
Scan Time: 22:32:59
Logfile: mBam-log-2014-11-04.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.03.09
Rootkit Database: v2014.11.01.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Administrator

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 399944
Time Elapsed: 16 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Malware.Packer, E:\P2PDwnlds\PingPlotter\pingplotter_keygen-fff.exe1, , [9fc6ea4d3349a0966b8b3929af51b050],

Physical Sectors: 0
(No malicious items detected)


(end)

 

Windows Host файла сам съм си го модифицирал за да спира досадните реклами от скайп.

Линк към коментара
Сподели в други сайтове

Логовете които ви интересуват:

 

Windows Host файла сам съм си го модифицирал за да спира досадните реклами от скайп.

 

Видях, аз него не съм го резетвал. :)

Останалите логове са чисти.

Линк към коментара
Сподели в други сайтове

Видях, аз него не съм го резетвал. :)

Останалите логове са чисти.

Идеално. Аз сега се чудя само едно - да инсталирам ли 8.1.1 на чисто на ССД или да го мигрирам...


Линк към коментара
Сподели в други сайтове

Архивирана тема

Темата е твърде стара и е архивирана. Не можете да добавяте нови отговори в нея, но винаги можете да публикувате нова тема, в която да продължи дискусията. Регистрирайте се или влезте във вашия профил за да публикувате нова тема.

×
×
  • Добави ново...

Информация

Поставихме бисквитки на устройството ви за най-добро потребителско изживяване. Можете да промените настройките си за бисквитки, или в противен случай приемаме, че сте съгласни с нашите Условия за ползване