Проблем с вирус - Win32/Agent.ARK trojan

Zdravkovich · Септември 6, 2007

Някави други предложение за този Win32:Vundo-gen49[Adw] днеска след рестар Аваста пак изпищя че го има този кон,а като я пусна на скан нея и VUNDOFIX нищо не намират. А след известно време пищи че го има,как става това не знам.

Приемам всякакви предложения

Night_Raven · Септември 6, 2007

Можеш да сканираш и със Spybot - Search & Destroy.

Опитай и да изпразниш временните файлове от папката под Safe Mode.

Zdravkovich · Септември 6, 2007

Сега ще пробвам и с нея.

Под Safe Mode не ме пуска аз още вчера пробвах, кото пробвам да влезна под Safe Mode ми се растартира компа незнам дали е от вируса или от нещо друго

Zdravkovich · Септември 8, 2007

Явно няма да се разбера с тея бацили и ще трябва Format C

juli93 · Април 11, 2009

здравейте, както си сърфирах из нета ми се появи един троянски кон. мина като светкавица през екрана и аз в отчаяние си изключих компютъра. откакто го рестартирах не ми се появяват никакви икони, нито лентата със старт-менюто. нямам абсолютно никакъв достъп до моите файлове, дава ми, че има информация в компютъра, но не мога да я видя. за първи път ми е, отчаяна съм и не знам какво да правя, а и не разбирам. плюс това до понеделник трябва да се оправи някак, защото вътре са ми всичките домашни. ровех се в нета, за да намеря проблеми като моя, но не намерих. моля ви, помогнете, спешно е, поне кажете може ли въобще да се оправи без да го нося на доставчика.

B-boy/StyLe/ · Април 12, 2009

Като за начало провери ли дали се е заредил процеса explorer.exe.

Натисни Ctrl + Alt + Del и в Task Manager-a отиди на Processes => File => New Task (run...) => напиши explorer.exe => и натисни OK.

http://pic-bg.net/files/n98fsc9f790hsy9kb7qr.jpg

Ако се появят иконите и лентата за задачи няма да е зле да направиш следното:

Сканирай със SUPERAntiSpyware Free и Malwarebytes' Anti-Malware

За SUPERAntiSpyware:

* стартирай програмата

* кликни бутонa Check For Updates

* след това избери Scan Your Computer

* вляво избери само дял C:, а вдясно избери Perform Complete Scan

http://pic-bg.net/files/uyzl0vtwtjahyh3n4076.jpg

* кликни Next и изчакай да сканира

* кликни Next, за да се премахнат намерените паразити и след това натисни Finish

* кликни бутона Preferences => придвижи се до Statistics/Logs избери лог файла и натисни бутона View Log

* копирай съдържанието му тук.

За Malwarebytes' Anti-Malware:

* стартирай програмата

* придвижи се до секцията Update и натисни Check for Updates

* след това отиди до категорията Scanner и избери Perform quick scan и кликни бутона Scan

* като приключи сканирането кликни върху бутон Remove Selected (или ако ти е на български премахни избраните)

http://img27.imageshack.us/img27/2963/mbam.jpg

* ще се появи текстов файл, копирай съдържанието му в следващия си отговор.

Ако не се зареди десктопа, направи следното:

Изтегли Avira AntiVir Rescue System 04/2009 (ако се наложи използвай компютъра на приятел/ка за целта)

Сложи празен диск в оптичното устройство и стартирай файла с двоен клик на мишката.

Натисни BURN CD

http://pic-bg.net/files/rvjhm3ap9xu1twer66ah.jpg

Сега стартирай машината си и според това каква е дънната ти платка пробвай различни клавиши (най-често F1, F2, del) за да влезнеш в BIOS менюто и да направиш CD-ROM-а да е първо зареждащо устройство:

http://www.hiren.info/pages/bios-boot-cdrom

Поставяш записания диск на Avira Rescue CD в CD ROM-a и зареждаш от него.

Отиди на Configuration => и на Action at malware discovery сложи радиобутона на try to repair infected files и маркирай опцията под него rename files if they cannot be removed

http://pic-bg.net/files/l16yhux0ot6gjtfyg9np.jpg

След това отиди на Virus Scanner и избери Start Scanner

http://pic-bg.net/files/ytsu77reoqjea2hhxfxn.jpg

juli93 · Април 12, 2009

ужасно много ти благодаря. значи след като ти писах аз пак се рових, такава съм, че не си давам мира, като изникне проблем и с майка ми (тя работи с компютри, но за съжаление, не можа да ми помогне много, защото не знае много английски, а аз не съм дообре с терминологията) стояхме до 5 часа сутринта. вече имам достъп до информацията в компютъра ми и иконките ми се показват, успях да си активирам някак десктопа. оказа се, че имам от онзи вирус, който ми казва, че уш е антивирусна и иска да я инсталирам, за да ми повреди компютъра - мс антиспайуер 2009. и в нета много се ровех, оттам разбрах повечето неща и си инсталирах тази malware или както там се казваше (бялото "М" на червен фон е иконката). там изпълних всичко, което пишеше в инструкциите (същото, което и ти си написал), обаче ми пишеше и да си рестартирам компа. обаче и след рестартирането пак не ми се виждаха иконките и нищо не се променяше. сега си инсталирах Суперантиспайуера, който ти ми препоръча и пак ми искаше рестарт, но вече ми се видяха иконките, което, надявам се, е много добър знак. а съдържанието, което ми излезе във View Log e:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 04/12/2009 at 05:16 PM

Application Version : 4.26.1000

Core Rules Database Version : 3839

Trace Rules Database Version: 1795

Scan type : Complete Scan

Total Scan Time : 00:16:37

Memory items scanned : 409

Memory threats detected : 0

Registry items scanned : 5221

Registry threats detected : 0

File items scanned : 14244

File threats detected : 7

Adware.Tracking Cookie

C:\Documents and Settings\Sempron\Cookies\sempron@cgi-bin[1].txt

C:\Documents and Settings\Sempron\Cookies\sempron@doubleclick[1].txt

C:\Documents and Settings\Sempron\Cookies\sempron@advertising[1].txt

Trojan.Agent/Gen-FakeAlert

C:\WINDOWS\MSB.EXE

C:\WINDOWS\Prefetch\MSB.EXE-1B32DC30.pf

Malware.SpywareNuker

C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS

Trojan.Dropper/UserInit-Fake

C:\WINDOWS\SYSTEM32\USERINIT.EXE

Ровех се и в моите антивирусни NOD32 i Spyware Nucker, обаче явно те са безсилни да се справят с това. Доколкото виждам имам бисквитки, които или се крадат, или са отровени. не знам какво да направя оттук нататък. Също искам да те попитам трябва ли да си включвам компютъра на режим safe mode при такава ситуация и как да го направя, ако се налага? изтеглих си някаква инструкция от help and support, но не ми е много ясна. Иначе английския ми е много доър, но тези термини не ги знам много и не мога да си намеря инструкция на БГ.

п.с. извинявай, че съм толкова подробна, но нз коя е най-важната информация, затова ти описвам всичко. още веднъж много благодаря.

B-boy/StyLe/ · Април 12, 2009

Така...проблема ти се дължи на userinit.exe който вероятно е бил (или все още е заразен).

Къде е лога от Malwarebytes' Anti-Malware 1.36 ? (намират се в категорията LOGS).

Препоръчвам, ако използваш кракната и стара версия на NOD32 или да обновиш до по-нова (например версия 4)

Ето линка за версия NOD32 Antivirus 4.0.314

или да я разкараш и да си инсталираш безплатната Avira AntiVir Personal 9.0.0.386

Съветвам те да деинсталираш този боклук Spyware Nucker (програма, която е била вече в черните списъци на Spyware Warrior).

Преди да преминем към евентуално по-сериозни мерки искам да изпратиш следния файл за анализ: C:\WINDOWS\SYSTEM32\USERINIT.EXE на следния адрес:

http://www.virustotal.com/img/VirusTotal-logo.png

Публикувай линка с резултатите от проверкана на файлчето и след това ще прожължим.

juli93 · Април 12, 2009

MD5: 39b1ffb03c2296323832acbae50d2aff

First received: 11.20.2007 00:54:56 (CET)

Date: 04.12.2009 09:27:52 (CET) [<1D]

Results: 0/40

Permalink: analisis/d0652ae2966a412ff20e5956ce4c7d0b

Това е което ми излезе от анализа.

А от Malware ми показа ето това от Logs:

Malwarebytes' Anti-Malware 1.36

Database version: 1970

Windows 5.1.2600 Service Pack 2

12.4.2009 19:25:37

mbam-log-2009-04-12 (19-25-37).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 112737

Time elapsed: 16 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer (Rogue.WebMediaPlayer) -> Delete on reboot.

Какво означава "да започнем по-сериозна работа", толкова ли е безнадеждно положението? Ще се размина ли без сервиз? :(

B-boy/StyLe/ · Април 12, 2009

Ще се размине разбира се.

Просто исках да се уверя дали ще се наложи подмяната на userinit.exe.

Прати файла за анализ във ВирусТотал, както съм описал в предишния си пост.

Сега изтегли RSIT.

Стартирай го и избери Continue на диалоговия прозорец.

http://pic-bg.net/files/ljb50puyk0awmewu0dt6.jpg

След приключването на проверката, публикувай двата лог файла, които RSIT ще създаде.

(ps: или просто ги отвори и чрез copy/paste публикувай резултатите в следващия си пост).

juli93 · Април 12, 2009

мн ме успокои, мислех, че трябва да го нося на ремонт.

MD5: 39b1ffb03c2296323832acbae50d2aff

First received: 11.20.2007 00:54:56 (CET)

Date: 04.12.2009 09:27:52 (CET) [<1D]

Results: 0/40

Permalink: analisis/d0652ae2966a412ff20e5956ce4c7d0b

Logfile of random's system information tool 1.06 (written by random/random)

Run by Sempron at 2009-04-12 20:22:51

Microsoft Windows XP Professional Service Pack 2

System drive C: has 2 GB (17%) free of 12 GB

Total RAM: 959 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:22:54, on 12.4.2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Spyware Nuker\swnxt.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Sempron\Local Settings\Temporary Internet Files\Content.IE5\VDTBAGAU\RSIT[1].exe

C:\Program Files\trend micro\Sempron.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dir.bg/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera (VC0305)

O4 - HKLM\..\Run: [Microsoft WinMgmt] iexplore.exe

O4 - HKLM\..\Run: [internetServiceProvider] ispkey.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\RunServices: [ispkey] \ispkey.exe

O4 - HKLM\..\RunServices: [iexplorer] C:\WINDOWS\system32\iexplore.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{81A3EE1E-ABF8-4F7E-BDAE-19EE9D5268E5}: NameServer = 83.228.92.1,83.228.92.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O24 - Desktop Component 0: (no name) - http://atv.disney.go.com/disneychannel/med...ads/800x600.jpg

--

End of file - 6782 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]

Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-11-07 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-26 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-26 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]

Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-26 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{855F3B16-6D32-4fe6-8A56-BBB695989046}

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-26 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-10-17 7307264]

"nwiz"=nwiz.exe /install []

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-10-17 86016]

"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-10-04 90112]

"RegistryMechanic"= []

"SWN2"=C:\Program Files\Spyware Nuker\swnxt.exe [2006-06-09 4060160]

"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

"Resume copy"=copyfstq.exe /startup []

"BigDogPath"=C:\WINDOWS\VM_STI.EXE [2005-02-28 53248]

"Microsoft WinMgmt"=C:\Program Files\Internet Explorer\iexplore.exe [2004-08-04 93184]

"InternetServiceProvider"=ispkey.exe []

"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-02-06 2021400]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-01 68856]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2005-05-19 1957888]

"TridentVideoIcon"= []

"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-19 342848]

"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]

"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"authentication packages"=msv1_0

nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"

"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.js - edit -

.js - open -

======List of files/folders created in the last 1 months======

2009-04-12 20:22:03 ----D---- C:\rsit

2009-04-12 20:22:03 ----D---- C:\Program Files\trend micro

2009-04-12 19:01:32 ----D---- C:\Documents and Settings\All Users\Application Data\ESET

2009-04-12 16:35:47 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-12 16:35:37 ----D---- C:\Program Files\SUPERAntiSpyware

2009-04-12 16:35:37 ----D---- C:\Documents and Settings\Sempron\Application Data\SUPERAntiSpyware.com

2009-04-12 16:34:35 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2009-04-12 04:04:11 ----D---- C:\Documents and Settings\Sempron\Application Data\Malwarebytes

2009-04-12 04:04:05 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2009-04-12 04:04:04 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-04-12 00:53:49 ----D---- C:\Documents and Settings\All Users\Application Data\wmp

2009-04-05 15:21:40 ----D---- C:\Hashove (2009) TVRip.XviD-CoveR

2009-04-02 21:27:37 ----D---- C:\Program Files\Common Files\Skype

2009-04-02 21:25:26 ----A---- C:\Skype 3.8.0.188.exe

2009-03-26 00:26:13 ----D---- C:\Program Files\URUSoft

2009-03-22 17:05:44 ----D---- C:\The.Adventures.of.Food.Boy.2008.DVDRip.XviD-BeStDivX

2009-03-22 13:44:19 ----D---- C:\Program Files\ASIO4ALL v2

2009-03-22 13:43:50 ----D---- C:\Program Files\VstPlugins

2009-03-22 13:42:46 ----D---- C:\Program Files\Outsim

2009-03-22 13:40:57 ----D---- C:\Program Files\Image-Line

2009-03-22 00:50:24 ----D---- C:\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0-NoPE

======List of files/folders modified in the last 1 months======

2009-04-12 20:22:03 ----D---- C:\Program Files

2009-04-12 20:19:33 ----D---- C:\Documents and Settings\Sempron\Application Data\DNA

2009-04-12 20:16:42 ----D---- C:\WINDOWS\system32\CatRoot2

2009-04-12 19:49:51 ----D---- C:\WINDOWS\Temp

2009-04-12 19:30:27 ----D---- C:\Documents and Settings\Sempron\Application Data\Skype

2009-04-12 19:29:44 ----D---- C:\WINDOWS\system32\drivers

2009-04-12 19:29:27 ----D---- C:\Program Files\DNA

2009-04-12 19:28:22 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-04-12 19:21:07 ----D---- C:\WINDOWS\system32

2009-04-12 19:05:37 ----D---- C:\WINDOWS\Prefetch

2009-04-12 19:04:33 ----D---- C:\WINDOWS

2009-04-12 19:04:05 ----D---- C:\Program Files\ESET

2009-04-12 19:02:36 ----SHD---- C:\WINDOWS\Installer

2009-04-12 19:02:30 ----HD---- C:\WINDOWS\inf

2009-04-12 17:18:55 ----D---- C:\Documents and Settings\Sempron\Application Data\skypePM

2009-04-12 17:17:01 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-04-12 16:34:35 ----D---- C:\Program Files\Common Files

2009-04-12 04:36:54 ----D---- C:\Documents and Settings\Sempron\Application Data\BitTorrent

2009-04-12 04:08:56 ----SD---- C:\WINDOWS\Tasks

2009-04-12 01:44:41 ----D---- C:\WINDOWS\Help

2009-04-03 17:40:01 ----D---- C:\Program Files\SA Dictionary 2004 Datacenter

2009-04-02 21:27:40 ----RD---- C:\Program Files\Skype

2009-04-02 21:27:40 ----D---- C:\Documents and Settings\All Users\Application Data\Skype

2009-04-02 16:05:09 ----A---- C:\WINDOWS\NeroDigital.ini

2009-03-29 11:43:18 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]

R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]

R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []

R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []

R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2003-07-29 40448]

R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]

R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]

R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-08-23 63232]

R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-08-23 55936]

R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-10-04 3797632]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-10-17 3530880]

R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]

R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]

R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2004-08-04 163584]

R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]

R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]

R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]

R3 ZSMC301b;Vimicro USB PC Camera (VC0305); C:\WINDOWS\System32\Drivers\usbVM31b.sys [2004-08-17 91263]

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]

S3 se45bus;Sony Ericsson Device 069 driver (WDM); C:\WINDOWS\system32\DRIVERS\se45bus.sys [2006-11-30 61536]

S3 se45mdfl;Sony Ericsson Device 069 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se45mdfl.sys [2006-11-30 9360]

S3 se45mdm;Sony Ericsson Device 069 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se45mdm.sys [2006-11-30 97088]

S3 se45mgmt;Sony Ericsson Device 069 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\se45mgmt.sys [2006-11-30 88624]

S3 se45nd5;Sony Ericsson Device 069 USB Ethernet Emulation SEMC45 (NDIS); C:\WINDOWS\system32\DRIVERS\se45nd5.sys [2006-11-30 18704]

S3 se45obex;Sony Ericsson Device 069 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\se45obex.sys [2006-11-30 86432]

S3 se45unic;Sony Ericsson Device 069 USB Ethernet Emulation SEMC45 (WDM); C:\WINDOWS\system32\DRIVERS\se45unic.sys [2006-11-30 90800]

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]

S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-10-17 131139]

R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

S2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe []

S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-11-16 72704]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]

S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-02-06 20680]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-23 654848]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]

S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-26 137200]

S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

B-boy/StyLe/ · Април 12, 2009

Деинсталирай от Control Panel-a => Add/Remove Programs => Spyware Nuker

Изтегли и стартирай HijackThis и избери опцията "Do a system scan only"

Маркирай следните редове и избери Fix Checked:

R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [Microsoft WinMgmt] iexplore.exe
O4 - HKLM\..\Run: [internetServiceProvider] ispkey.exe
O4 - HKLM\..\RunServices: [ispkey] \ispkey.exe
O4 - HKLM\..\RunServices: [iexplorer] C:\WINDOWS\system32\iexplore.exe

След това спри временно защитата на антивирусната си програма (ако е стара, неактуална и кракната версия , направо я деинсталирай и нея). След почистването ще сложим нова такава.

Изтегли Combofix и го запази на десктопа.

Въведи следната команда в Start => Run менюто :

"%userprofile%\desktop\combofix.exe" /killall

По време на проверката с инструмента не стартирай други приложения, не натискай клавиши на клавиатурата и не мести мишката. ComboFix ще рестартира системата ти и след това ще създаде текстов (лог) файл. Копирай съдържанието му в следващия си пост. (логът може да бъде намерен и в директорията C:\Combofix.txt).

juli93 · Април 12, 2009

дотук добре, но ми иска някаква промяна на настройки за гугъл, какво да правя, аз го игнорирам, така ли трябва? а пречи ли, че НОД-а го спрях временно, аз си изтеглих по-новата версия, която ти ми каза. а иначе от комбофикса ми излезе това:

ComboFix 09-04-13.01 - Sempron 2009-04-12 21:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.959.603 [GMT 3:00]

Running from: c:\documents and settings\Sempron\desktop\combofix.exe

Command switches used :: /killall

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer

c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.url

c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and Conditions.url

c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Uninstall.lnk

c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk

c:\documents and settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.url

.

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))

.

2009-04-12 17:22 . 2009-04-12 17:22 -------- d-----w C:\rsit

2009-04-12 16:01 . 2009-04-12 16:01 -------- d-----w c:\documents and settings\All Users\Application Data\ESET

2009-04-12 13:35 . 2009-04-12 13:35 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-12 13:35 . 2009-04-12 13:35 -------- d-----w c:\documents and settings\Sempron\Application Data\SUPERAntiSpyware.com

2009-04-12 01:04 . 2009-04-12 01:04 -------- d-----w c:\documents and settings\Sempron\Application Data\Malwarebytes

2009-04-12 01:04 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-12 01:04 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-12 01:04 . 2009-04-12 01:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-11 22:08 . 2009-04-11 22:08 78848 ----a-w C:\lexik 8.doc

2009-04-11 21:53 . 2009-04-11 21:53 -------- d-----w c:\documents and settings\All Users\Application Data\wmp

2009-04-09 16:56 . 2009-04-09 17:02 733786112 ----a-w C:\High School Musical The Concert 2007 XVID [Chinese+English Sub].avi

2009-04-05 12:21 . 2009-04-05 21:13 -------- d-----w C:\Hashove (2009) TVRip.XviD-CoveR

2009-04-02 18:25 . 2009-04-02 18:25 22285608 ----a-w C:\Skype 3.8.0.188.exe

2009-04-01 12:33 . 2009-04-01 12:33 0 ----a-w c:\windows\system32\QuickTime.qtp

2009-03-22 14:05 . 2009-04-02 15:59 -------- d-----w C:\The.Adventures.of.Food.Boy.2008.DVDRip.XviD-BeStDivX

2009-03-22 10:43 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm

2009-03-21 21:50 . 2009-04-02 15:55 -------- d-----w C:\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0-NoPE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-13 18:18 . 2007-01-03 13:06 -------- d-----w c:\documents and settings\Sempron\Application Data\Skype

2009-04-13 18:18 . 2008-03-30 10:34 -------- d-----w c:\documents and settings\Sempron\Application Data\skypePM

2009-04-13 18:17 . 2008-03-22 18:30 -------- d-----w c:\program files\DNA

2009-04-13 18:17 . 2008-03-22 18:30 -------- d-----w c:\documents and settings\Sempron\Application Data\DNA

2009-04-12 18:03 . 2009-04-12 17:22 -------- d-----w c:\program files\trend micro

2009-04-12 16:04 . 2006-12-15 12:19 -------- d-----w c:\program files\ESET

2009-04-12 13:35 . 2009-04-12 13:35 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-12 13:34 . 2009-04-12 13:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-04-12 01:36 . 2008-03-22 18:30 -------- d-----w c:\documents and settings\Sempron\Application Data\BitTorrent

2009-04-12 01:04 . 2009-04-12 01:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-03 14:40 . 2006-12-15 12:21 -------- d-----w c:\program files\SA Dictionary 2004 Datacenter

2009-04-02 18:27 . 2007-01-03 13:06 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-04-02 18:27 . 2007-01-03 13:05 -------- d-----r c:\program files\Skype

2009-04-02 18:27 . 2009-04-02 18:27 -------- d-----w c:\program files\Common Files\Skype

2009-03-25 21:26 . 2009-03-25 21:26 -------- d-----w c:\program files\URUSoft

2009-03-25 08:51 . 2007-03-18 17:59 8224 -c--a-w c:\documents and settings\Sempron\Application Data\GDIPFONTCACHEV1.DAT

2009-03-22 10:44 . 2009-03-22 10:40 -------- d-----w c:\program files\Image-Line

2009-03-22 10:44 . 2009-03-22 10:44 -------- d-----w c:\program files\ASIO4ALL v2

2009-03-22 10:43 . 2009-03-22 10:43 -------- d-----w c:\program files\VstPlugins

2009-03-22 10:42 . 2009-03-22 10:42 -------- d-----w c:\program files\Outsim

2009-03-02 08:55 . 2009-03-02 08:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-02 08:54 . 2009-03-02 08:54 -------- d-----w c:\program files\MyPhoneExplorer

2009-03-02 08:50 . 2009-03-02 08:50 -------- d-----w c:\documents and settings\Sempron\Application Data\MyPhoneExplorer

2009-03-02 08:46 . 2009-03-02 08:46 -------- d-----w c:\documents and settings\Sempron\Application Data\AD ON Multimedia

2009-03-02 08:35 . 2009-01-02 16:20 -------- d-----w c:\documents and settings\Sempron\Application Data\ImTOO Software Studio

2009-03-02 08:34 . 2007-12-21 13:50 -------- d-----w c:\program files\ImTOO

2009-03-01 12:55 . 2009-03-01 12:53 80860981 ----a-w C:\PhotoshopCS3portable.exe

2009-02-15 13:00 . 2009-02-15 13:00 -------- d-----w c:\program files\VideoCharge Software

2009-02-15 13:00 . 2006-12-15 12:10 -------- d--h--w c:\program files\InstallShield Installation Information

2009-02-15 12:56 . 2009-02-15 12:56 -------- d-----w c:\program files\Ashampoo

2008-03-30 10:34 . 2008-03-30 10:34 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2007-01-03 13:04 . 2007-01-03 13:04 20155344 -c--a-w c:\program files\SkypeSetup.exe

2004-07-26 01:16 . 2009-02-06 21:47 1117491 ----a-w c:\program files\dvdshrink32setup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-17 7307264]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-17 86016]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"BigDogPath"="c:\windows\VM_STI.EXE" [2005-02-28 53248]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

"nwiz"="nwiz.exe" [2005-10-17 c:\windows\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-10-04 c:\windows\soundman.exe]

"Resume copy"="copyfstq.exe" [2006-12-15 c:\windows\copyfstq.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 stfbiy;stfbiy; [x]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]

S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]

S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-TridentVideoIcon - (no file)

HKLM-Run-RegistryMechanic - (no file)

HKLM-Run-Microsoft WinMgmt - iexplore.exe

HKLM-Run-InternetServiceProvider - ispkey.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dir.bg/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {81A3EE1E-ABF8-4F7E-BDAE-19EE9D5268E5} = 83.228.92.1,83.228.92.2

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-13 21:20

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(240)

c:\windows\system32\msi.dll

c:\windows\system32\browselc.dll

c:\program files\Microsoft Office\Office10\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2009-04-13 21:22 - machine was rebooted [sempron]

ComboFix-quarantined-files.txt 2009-04-13 18:22

Pre-Run: 1 989 160 960 bytes free

Post-Run: 1,994,133,504 bytes free

176

B-boy/StyLe/ · Април 12, 2009

Не, не пречи. Стига да е актуална версия и да не са използвани кракове, пачове и фиксове нарушаващи функционалността на софтуера няма да имаш проблеми.

Дори и да не е платена си има достатъчно промоции за легално ползване на програмата, а обновяванията могат да се правят и чрез SMS за сумата от 4.80 лв. на месец (ако не се лъжа).

Така, лога излгежда привидно добре, но аз се съмнявам, че си прихванала малко по-специфична зараза и затова реших да се застраховам.

Отвори Notepad и въведи следната информация с (copy/paste) в бележника:

KILLALL::

Driver::
stfbiy

File::
C:\Windows\system32\iexplore.exe
C:\Windows\system32\isp\4_7_2008.log
C:\Windows\system32\ispkey.exe
C:\Windows\system32\mirc.gid
C:\Windows\system32\msoe.exe
C:\Windows\system32\winp.txt
C:\Windows\system32\skype.vbs
C:\Windows\system32\winampp.exe
C:\Windows\system32\winp.bat
C:\Windows\system32\wsh.vbs
C:\Windows\system32\wsrun.vbs
C:\Windows\system32\xlndrv.exe
C:\Windows\system32\XPregs2.reg
C:\Documents and Settings\Sempron\Start Menu\Programs\Startup\msoe32.lnk
C:\Windows\msagent\mscytc.com
C:\Windows\NR\msoe.dll
C:\Windows\NR\msoe32.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
InternetServiceProvider =-
Microsoft WinMgmt =-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
ispkey =-
Iexplorer =-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1036:UDP"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

sysrst::

Запази файла с име CFScript и го провлачи (drag/drop) с мишката в ComboFix.

http://img522.imageshack.us/img522/482/cfscriptyr1.gif

Сега инструмента ще се задейства още веднъж и ще изпълни зададените му инструкции.

След като завърши ще създаде отново лог файл.

Копирай съдържанието му в следващия си пост.

juli93 · Април 12, 2009

ComboFix 09-04-13.01 - Sempron 2009-04-13 21:49.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.959.513 [GMT 3:00]

Running from: c:\documents and settings\Sempron\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Sempron\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\documents and settings\Sempron\Start Menu\Programs\Startup\msoe32.lnk

c:\windows\msagent\mscytc.com

c:\windows\NR\msoe.dll

c:\windows\NR\msoe32.exe

c:\windows\system32\iexplore.exe

c:\windows\system32\isp\4_7_2008.log

c:\windows\system32\ispkey.exe

c:\windows\system32\mirc.gid

c:\windows\system32\msoe.exe

c:\windows\system32\skype.vbs

c:\windows\system32\winampp.exe

c:\windows\system32\winp.bat

c:\windows\system32\winp.txt

c:\windows\system32\wsh.vbs

c:\windows\system32\wsrun.vbs

c:\windows\system32\xlndrv.exe

c:\windows\system32\XPregs2.reg

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\winp.bat

c:\windows\system32\winp.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_stfbiy