Jump to content

Проблем с facebook и появяваща се страница

GEORGIMV

By GEORGIMV
в Рутери, суичове и кабели

 Share

Препоръчан пост

GEORGIMV Новобранец

GEORGIMV

Публикувано
Публикувано

проблема е следния

получих един клип и при опита да го отворя се зареди идна страница с един xxx клип и иске инсталирането на pic uploader

сега при всяко влизане в facebook ми се появява този клеп на стената и искане за инсталиране на програмата

и лошото е че се препраща на приетелите ми

кажете как да спра това чудо

Link to comment
Сподели другаде
B-boy/StyLe/ Новобранец

B-boy/StyLe/

Публикувано
Публикувано

Изтеглете OTL.exe и го запазете на десктопа.

  • Стартирайте OTL (ако е необходимо, потвърдете през UAC).
  • Направете следните настройки:
  • Сложете отметка пред Scan All Users http://img408.imageshack.us/img408/1442/46625204.png
  • Под менюто File Age изберете 90 days
  • Под менюто Standard Registryпроменете на ALL
  • Сложете отметки пред LOP и Purity Check

Под http://store.picbg.net/pubpic/0A/C1/c814d031472c0ac1.png с Copy/ Paste въведете изцяло следната текстова информация (само това, което е поставено в карето):

netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\config\systemprofile\*.*
%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
%windir%\temp*.*
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_MSIL\*.* /S /MD5
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
/md5start
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
atapi.sys
iaStor.sys
serial.sys
disk.sys
volsnap.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
tcpip.sys
ipsec.sys
hlp.dat
/md5stop

  • Натиснете маркираният в синьо бутон: Run Scan.
  • Като приключи проверката, ще се създадат два файла - OTL.Txt и Extras.Txt. Прикачете тези два файла в следващия си коментар (погледнете опцията Прикачени файлове, когато публикувате мнение).

Link to comment
Сподели другаде
B-boy/StyLe/ Новобранец

B-boy/StyLe/

Публикувано
Публикувано

Не припирайте...анализа на лог файла изисква време...особено в неделя вечер !

Не съм на заплата, така че ще помоля за търпение ! Благодаря !

Link to comment
Сподели другаде
B-boy/StyLe/ Новобранец

B-boy/StyLe/

Публикувано
Публикувано

Нещо не ми харесва лог файла...

 

1. Изтеглете ComboFix от BleepingComputer

и го запазете (бутон Save -> Save as) ComboFix на вашия десктоп:

http://i46.tinypic.com/2exprgh.jpg

След приключване на изтеглянето на ComboFix, иконката на програмата би трябвало да изглежда така:

http://i46.tinypic.com/29eqjuq.jpg

 

 

 

2. Затворете всички работещи приложения, отворени прозорци и програми работещи във фонов режим. Спрете временно защитата в реално време на антивирусната програма и на другите програми за сигурност, ако има такива. За целта може да прегледате информацията от този линк: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs.

 

 

 

3. Стартирайте с двоен клик Combofix.exe. Изберете YES, за да се съгласите с условията за използване на програмата. Важно: По време на работата на ComboFix не бива да се движи мишката и да се натискат клавиши от клавиатурата. Просто търпеливо оставете ComboFix да си свърши работата, без да използвате компютъра за други цели.

 

 

 

4. ComboFix ще провери дали Windows Recovery Console e инсталиранa.


  • *Ако Windows Recovery Console е инсталирана, ComboFix ще продължи работата си.
    *Ако Windows Recovery Console не е инсталирана, ще е необходимо да използвате YES за инсталация на Windows Recovery Console

http://i46.tinypic.com/33wr6us.jpg

 

 

Забележка: Необходимо е да сте свързани към Интернет за да може Windows Recovery Console да се изтегли.

 

 

След инсталация на Windows Recovery Console потвърдете с YES, за да продължите напред. Снимка:

http://i45.tinypic.com/m9lvnk.jpg

 

 

 

5. ComboFix ще спре временно Интернет връзката, но след като приключи работата на програмата тази връзка ще бъде възстановена автоматично. ComboFix ще сканира за проблеми и за заразени файлове, като това може да отнеме известно време. Моля да бъдете търпеливи. Ако има проблем с Интернет връзката след приключване на работата на Combofix, моля да прочетете това: Manually restoring the Internet connection section.

 

 

Забележка: При проблеми с ComboFix копирайте с (Copy) и поставете с (Paste) съдържанието на C:\BUG.txt в следващия си коментар.

 

 

 

6. Когато работата на ComboFix приключи, ще се появи текстов документ (log) в Notepad:

http://i49.tinypic.com/157m978.jpg

 

Копирайте с (Copy) и поставете с (Paste) съдържанието на лога в следващия си коментар.

Link to comment
Сподели другаде
GEORGIMV Новобранец

GEORGIMV

Публикувано
  • Author
Публикувано

ето това излезна

 

ето това излезна

 

ComboFix 12-02-12.01 - Administrator 02.2012 г. 15:15:24.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.190 [GMT 2:00]

Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\Notification.dll

c:\documents and settings\Administrator\Application Data\rbap550.dll

c:\documents and settings\Administrator\Application Data\RBInternetEncodings550.dll

c:\documents and settings\Administrator\Application Data\RBShell550.dll

c:\documents and settings\Administrator\Application Data\WindowsSecurity.dll

c:\documents and settings\Administrator\Application Data\ZZipUtilitiesV02.dll

c:\documents and settings\All Users\Application Data\TEMP

.

.

((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))

.

.

2012-02-12 18:57 . 2012-02-12 18:57 844 ---ha-w- C:\aaw7boot.cmd

2012-02-12 18:51 . 2012-02-12 18:52 -------- d-----w- c:\program files\SpybotPortable

2012-02-12 16:14 . 2012-02-12 16:14 -------- d-----w- c:\program files\KH Blocker

2012-02-12 15:55 . 2012-02-12 15:55 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2012-02-12 15:50 . 2012-02-12 20:41 -------- dc----w- c:\windows\system32\DRVSTORE

2012-02-12 15:50 . 2012-02-12 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2012-02-12 15:50 . 2012-02-12 15:50 -------- d-----w- c:\program files\Lavasoft

2012-02-12 15:14 . 2012-01-05 18:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94A7E69E-596A-4E83-B0CE-BCAA1132D612}\mpengine.dll

2012-02-12 14:59 . 2012-02-12 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2012-02-12 05:54 . 2012-02-12 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-02-11 15:00 . 2012-02-11 15:00 -------- d-----w- c:\windows\system32\wbem\Repository

2012-02-11 11:29 . 2012-02-11 11:29 -------- d-----w- c:\program files\Microsoft.NET

2012-01-15 19:06 . 2012-01-15 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\XBMC

2012-01-15 19:04 . 2012-01-15 19:04 -------- d-----w- c:\program files\XBMC

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-31 12:44 . 2011-05-03 20:11 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-05 18:19 . 2011-05-06 05:17 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-12-26 11:37 . 2011-12-26 11:37 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe

2011-11-25 21:57 . 2007-09-29 14:25 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25 . 2007-09-29 14:25 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-19 07:34 . 2011-05-18 05:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe

2011-11-16 14:21 . 2007-09-29 14:24 152064 ----a-w- c:\windows\system32\schannel.dll

2011-11-16 14:21 . 2004-08-04 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll

2012-02-11 18:21 . 2011-09-29 17:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

<pre>
c:\program files\luft4sat.eu\CCcam-info\CCcamInfo V.1.2 .exe
</pre>

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\ServicePackFiles\i386\usp10.dll

[-] 2007-09-29 . A2F03ADFB6C17E732FC42D51352EDCC3 . 502784 . . [1.0626.6000.20581] . . c:\windows\system32\usp10.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-12-14 13:51 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-12-14 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"TaskTray"="" [N/A]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]

"KH Blocker"="c:\program files\KH Blocker\khb.exe" [2007-02-13 3039978]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Documents and Settings\\Administrator\\Desktop\\ПРОГРАМИ\\WinGrabZ.exe"=

"d:\\САТЕЛИТ\\Dreambox 500s\\DCC.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"d:\\САТЕЛИТ\\Dreambox 500s\\dreamset.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\enigma2tool\\enigma2tool.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"10950:TCP"= 10950:TCP:Inhatch P2P Streaming

"10951:TCP"= 10951:TCP:Inhatch P2P Streaming

"10952:TCP"= 10952:TCP:Inhatch P2P Streaming

"10953:TCP"= 10953:TCP:Inhatch P2P Streaming

"49780:UDP"= 49780:UDP:Inhatch P2P Streaming

.

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [04.5.2011 г. 00:30 16640]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [01.8.2011 г. 17:43 691696]

R1 MpKsl3e067377;MpKsl3e067377;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94A7E69E-596A-4E83-B0CE-BCAA1132D612}\MpKsl3e067377.sys [13.2.2012 г. 15:28 29904]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 г. 13:16 130384]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [29.12.2011 г. 19:07 632792]

R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [06.9.2011 г. 12:28 66944]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12.6.2011 г. 10:15 31125880]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09.1.2010 г. 20:37 4640000]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 г. 13:16 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL3E067377

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-13 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 12:39]

.

2012-02-12 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-12-29 08:02]

.

2012-02-13 c:\windows\Tasks\RMSmartUpdate.job

- c:\program files\Registry Mechanic\Update.exe [2011-12-29 11:23]

.

2012-02-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2011-12-14 13:51]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.bg/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.168.1 88.80.96.7

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mkizihfl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.data.bg/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&SearchSource=2&q=

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: nglayout.initialpaint.delay - 50

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-13 15:28

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1417001333-1177238915-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,85,e2,a7,81,0a,8a,4c,89,11,1a,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,84,3d,8b,a8,6c,cc,4e,a7,0b,e6,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,85,e2,a7,81,0a,8a,4c,89,11,1a,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(828)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(4684)

c:\windows\system32\WININET.dll

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

c:\program files\Photodex\ProShowProducer\ScsiAccess.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2012-02-13 15:33:54 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-13 13:33

.

Pre-Run: 35 840 053 248 bytes free

Post-Run: 35 773 956 096 bytes free

.

- - End Of File - - 0B7FE137E553EC2597733983663B668F

Link to comment
Сподели другаде
B-boy/StyLe/ Новобранец

B-boy/StyLe/

Публикувано
Публикувано

*. Отворете notepad.exe и с copy/paste въведете следната информация:

 

RenV::
c:\program files\luft4sat.eu\CCcam-info\CCcamInfo V.1.2 .exe
Fcopy::
c:\windows\ServicePackFiles\i386\usp10.dll | c:\windows\system32\usp10.dll
File::
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
Folder::
c:\program files\Ask.com
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mkizihfl.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&SearchSource=2&q=
RegLock::
[HKEY_USERS\S-1-5-21-1417001333-1177238915-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

 

 

*.Запазете файла с име CFScript и го провлачете и пуснете в Combofix (както е показано на картинката отдолу).

 

http://img213.imageshack.us/img213/1218/cfscript1.gif

 

*. По време на сканиране от страна на ComboFix не стартирайте никакви други приложения, не натискайте клавиши от клавиатурата и не местете мишката !

 

*. Когато Combofix приключи ще създаде лог файла. Моя, публикувайте този файл в следващия си пост.

Link to comment
Сподели другаде
GEORGIMV Новобранец

GEORGIMV

Публикувано
  • Author
Публикувано

ComboFix 12-02-12.01 - Administrator 02.2012 г. 19:40:00.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.218 [GMT 2:00]

Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript .txt.txt

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

FILE ::

"c:\windows\Tasks\Scheduled Update for Ask Toolbar.job"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\Notification.dll

c:\documents and settings\Administrator\Application Data\rbap550.dll

c:\documents and settings\Administrator\Application Data\RBInternetEncodings550.dll

c:\documents and settings\Administrator\Application Data\RBShell550.dll

c:\documents and settings\Administrator\Application Data\WindowsSecurity.dll

c:\documents and settings\Administrator\Application Data\ZZipUtilitiesV02.dll

c:\documents and settings\All Users\Application Data\TEMP

c:\program files\Ask.com

c:\program files\Ask.com\assets\oobe\b.png

c:\program files\Ask.com\assets\oobe\bl.png

c:\program files\Ask.com\assets\oobe\br.png

c:\program files\Ask.com\assets\oobe\l.png

c:\program files\Ask.com\assets\oobe\pointer.png

c:\program files\Ask.com\assets\oobe\r.png

c:\program files\Ask.com\assets\oobe\t.png

c:\program files\Ask.com\assets\oobe\tl.png

c:\program files\Ask.com\assets\oobe\tr.png

c:\program files\Ask.com\cobrand.ico

c:\program files\Ask.com\config.xml

c:\program files\Ask.com\favicon.ico

c:\program files\Ask.com\fv_83.ico

c:\program files\Ask.com\GenericAskToolbar.dll

c:\program files\Ask.com\mupcfg.xml

c:\program files\Ask.com\precache.exe

c:\program files\Ask.com\SaUpdate.exe

c:\program files\Ask.com\Updater\config.xml

c:\program files\Ask.com\Updater\Updater.exe

c:\program files\Ask.com\UpdateTask.exe

c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

.

.

--------------- FCopy ---------------

.

c:\windows\ServicePackFiles\i386\usp10.dll --> c:\windows\system32\usp10.dll

.

((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))

.

.

2012-02-13 17:50 . 2012-02-13 17:50 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{434C6F01-598E-4AAB-B295-F5E28575FBA7}\MpKsl47c1f531.sys

2012-02-13 17:10 . 2012-01-05 18:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{434C6F01-598E-4AAB-B295-F5E28575FBA7}\mpengine.dll

2012-02-12 18:57 . 2012-02-12 18:57 844 ---ha-w- C:\aaw7boot.cmd

2012-02-12 18:51 . 2012-02-12 18:52 -------- d-----w- c:\program files\SpybotPortable

2012-02-12 16:14 . 2012-02-12 16:14 -------- d-----w- c:\program files\KH Blocker

2012-02-12 15:55 . 2012-02-12 15:55 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2012-02-12 15:50 . 2012-02-12 20:41 -------- dc----w- c:\windows\system32\DRVSTORE

2012-02-12 15:50 . 2012-02-12 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2012-02-12 15:50 . 2012-02-12 15:50 -------- d-----w- c:\program files\Lavasoft

2012-02-12 14:59 . 2012-02-12 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2012-02-12 05:54 . 2012-02-12 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-02-11 15:00 . 2012-02-11 15:00 -------- d-----w- c:\windows\system32\wbem\Repository

2012-02-11 11:29 . 2012-02-11 11:29 -------- d-----w- c:\program files\Microsoft.NET

2012-01-15 19:06 . 2012-01-15 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\XBMC

2012-01-15 19:04 . 2012-01-15 19:04 -------- d-----w- c:\program files\XBMC

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-31 12:44 . 2011-05-03 20:11 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-05 18:19 . 2011-05-06 05:17 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-12-26 11:37 . 2011-12-26 11:37 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe

2011-11-25 21:57 . 2007-09-29 14:25 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25 . 2007-09-29 14:25 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-19 07:34 . 2011-05-18 05:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe

2011-11-16 14:21 . 2007-09-29 14:24 152064 ----a-w- c:\windows\system32\schannel.dll

2011-11-16 14:21 . 2004-08-04 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll

2012-02-11 18:21 . 2011-09-29 17:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-02-13_13.27.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-02-13 17:06 . 2012-02-13 17:06 35328 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Pres#\f45abd2caa9f93bb60ce92de6a885d6e\System.Windows.Presentation.ni.dll

+ 2012-02-13 17:05 . 2012-02-13 17:05 24064 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\3447b1ea4537dd7a1b7796efb935f4b0\System.Web.Routing.ni.dll

+ 2007-09-29 14:49 . 2008-04-14 00:12 406016 c:\windows\system32\dllcache\usp10.dll

+ 2012-02-13 17:07 . 2012-02-13 17:07 404480 c:\windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\ecb0328b918c4a5adfbd83c946e0e196\XamlBuildTask.ni.dll

+ 2012-02-13 17:07 . 2012-02-13 17:07 252416 c:\windows\assembly\NativeImages_v4.0.30319_32\WindowsFormsIntegra#\b18816abd9dd59ca3f1d682a756e5745\WindowsFormsIntegration.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 482816 c:\windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\ee096062554a6344a49083910c0af16e\UIAutomationClient.ni.dll

+ 2012-02-13 17:05 . 2012-02-13 17:05 194048 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Form#\a863e081c9bcbaec568abe127fb1dbe3\System.Windows.Forms.DataVisualization.Design.ni.dll

+ 2012-02-13 17:04 . 2012-02-13 17:04 864256 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Extensio#\8df52ddecec26752d703df9d12236688\System.Web.Extensions.Design.ni.dll

+ 2012-02-13 17:07 . 2012-02-13 17:07 646656 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\344c1e000e4158cc37a5e9068e095d40\System.Transactions.ni.dll

- 2012-02-13 13:25 . 2012-02-13 13:25 646656 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\344c1e000e4158cc37a5e9068e095d40\System.Transactions.ni.dll

+ 2012-02-13 17:07 . 2012-02-13 17:07 236032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\a2baf116d3055aadb99b77e327a74907\System.EnterpriseServices.Wrapper.dll

- 2012-02-13 13:25 . 2012-02-13 13:25 236032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\a2baf116d3055aadb99b77e327a74907\System.EnterpriseServices.Wrapper.dll

- 2012-02-13 13:25 . 2012-02-13 13:25 786944 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\a2baf116d3055aadb99b77e327a74907\System.EnterpriseServices.ni.dll

+ 2012-02-13 17:07 . 2012-02-13 17:07 786944 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\a2baf116d3055aadb99b77e327a74907\System.EnterpriseServices.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 1057792 c:\windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClients#\0d8b512be71d0a491131dac4bada85cf\UIAutomationClientsideProviders.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 1208320 c:\windows\assembly\NativeImages_v4.0.30319_32\System.WorkflowServ#\8cd2807d50c15dc7d4dc310407fafe72\System.WorkflowServices.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 1969152 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Workflow.Run#\4aac053a6c7c2a0f21903f3ded15ed62\System.Workflow.Runtime.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 4461568 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Workflow.Com#\45b3e62f518b41959dc57f78d303c7d2\System.Workflow.ComponentModel.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 2871808 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Workflow.Act#\efbaa12cf2e60ab74689afa58e80dc3c\System.Workflow.Activities.ni.dll

+ 2012-02-13 17:05 . 2012-02-13 17:05 4545024 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Form#\ee16a1514cffb8d75d96c2d3a182732a\System.Windows.Forms.DataVisualization.ni.dll

+ 2012-02-13 17:05 . 2012-02-13 17:05 1897472 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\c6516ac5143b590c0b4a4e4206921345\System.Web.Services.ni.dll

- 2012-02-13 13:21 . 2012-02-13 13:21 1897472 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\c6516ac5143b590c0b4a4e4206921345\System.Web.Services.ni.dll

+ 2012-02-13 17:04 . 2012-02-13 17:04 2334720 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\49b986837197982c6ffb3654b4efeb98\System.Web.Mobile.ni.dll

+ 2012-02-13 17:07 . 2012-02-13 17:07 6798336 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data\494945003f729a5d6ec21324dff8c7b9\System.Data.ni.dll

- 2012-02-13 13:25 . 2012-02-13 13:25 6798336 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data\494945003f729a5d6ec21324dff8c7b9\System.Data.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 1193984 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data.OracleC#\9d1b8d3b4009e1006852a61c281e53b2\System.Data.OracleClient.ni.dll

- 2012-02-13 13:24 . 2012-02-13 13:24 1193984 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data.OracleC#\9d1b8d3b4009e1006852a61c281e53b2\System.Data.OracleClient.ni.dll

- 2012-02-13 13:25 . 2012-02-13 13:25 12076032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web\022bb29a475db0110dfa955f319b7f07\System.Web.ni.dll

+ 2012-02-13 17:06 . 2012-02-13 17:06 12076032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web\022bb29a475db0110dfa955f319b7f07\System.Web.ni.dll

- 2012-02-13 13:05 . 2012-02-13 13:05 17996800 c:\windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\8f98e8e2739c6887f5721b8482767479\System.ServiceModel.ni.dll

+ 2012-02-13 17:04 . 2012-02-13 17:04 17996800 c:\windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\8f98e8e2739c6887f5721b8482767479\System.ServiceModel.ni.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]

"KH Blocker"="c:\program files\KH Blocker\khb.exe" [2007-02-13 3039978]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Documents and Settings\\Administrator\\Desktop\\ПРОГРАМИ\\WinGrabZ.exe"=

"d:\\САТЕЛИТ\\Dreambox 500s\\DCC.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"d:\\САТЕЛИТ\\Dreambox 500s\\dreamset.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\enigma2tool\\enigma2tool.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"10950:TCP"= 10950:TCP:Inhatch P2P Streaming

"10951:TCP"= 10951:TCP:Inhatch P2P Streaming

"10952:TCP"= 10952:TCP:Inhatch P2P Streaming

"10953:TCP"= 10953:TCP:Inhatch P2P Streaming

"49780:UDP"= 49780:UDP:Inhatch P2P Streaming

.

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [04.5.2011 г. 00:30 16640]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [01.8.2011 г. 17:43 691696]

R1 MpKsl47c1f531;MpKsl47c1f531;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{434C6F01-598E-4AAB-B295-F5E28575FBA7}\MpKsl47c1f531.sys [13.2.2012 г. 19:50 29904]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [29.12.2011 г. 19:07 632792]

R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [06.9.2011 г. 12:28 66944]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 г. 13:16 130384]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12.6.2011 г. 10:15 31125880]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09.1.2010 г. 20:37 4640000]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 г. 13:16 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL47C1F531

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-13 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 12:39]

.

2012-02-13 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-12-29 08:02]

.

2012-02-13 c:\windows\Tasks\RMSmartUpdate.job

- c:\program files\Registry Mechanic\Update.exe [2011-12-29 11:23]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.bg/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.168.1 88.80.96.7

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mkizihfl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.data.bg/

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: nglayout.initialpaint.delay - 50

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-TaskTray - (no file)

AddRemove-{79A765E1-C399-405B-85AF-466F52E918B0} - c:\program files\Ask.com\Updater\Updater.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-13 19:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(7676)

c:\windows\system32\WININET.dll

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

c:\program files\Photodex\ProShowProducer\ScsiAccess.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2012-02-13 19:57:48 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-13 17:57

ComboFix2.txt 2012-02-13 13:33

.

Pre-Run: 35 544 014 848 bytes free

Post-Run: 35 536 338 944 bytes free

.

- - End Of File - - E9C1947234E5918BF5F02C3D793A4F7A

Link to comment
Сподели другаде
B-boy/StyLe/ Новобранец

B-boy/StyLe/

Публикувано
Публикувано

Много добре...лог файла е чист.

Сега има ли някакви проблеми с Windows ?

 

Да направим две финални и контролни проверки:

 

 

СТЪПКА 1

  • Изтеглете Malwarebytes' Anti-Malware оттук и я инсталирайте.
  • Стартирайте Malwarebytes' Anti-Malware и отидете на UPDATE и натиснете Check for updates.
  • След това се върнете на Scanner изберете Perform QUICK Scan, след това кликнете на Scan.
  • Сканирането ще отнеме малко време, затова моля бъдете търпеливи.
  • Когато сканирането завърши, кликнете на OK, след това Show Results, за да видите резултата.
  • Уверете се, че на всички редове има отметки, и кликнете Remove Selected.
  • Когато всичко бъде премахнато, логът ще бъде отворен в Notepad. Копирайте лога и го публикувайте в следващия си коментар в темата.

Забележка: Ако MalwareBytes' Anti-Malware се затрудни в премахването на откритите вируси/заплахи, той ще поиска да рестартира компютъра и по време на рестартирането да премахне проблемните вируси/заплахи. Ако бъдете попитани, потвърдете че желаете вашия компютър да бъде рестартиран.

 

 

 

СТЪПКА 2

 

 

 

Моля, изтеглете aswMBR и го запазете на вашия десктоп.

  • Кликнете с двоен клин на мишката върху файла aswMBR.exe за да го стартирате.
  • Изчакайте да изтегли дефинициите на avast!
  • От падащото меню посочете дял C:\ както е на снимката:

http://img843.imageshack.us/img843/9021/unledyfm.png

  • Изберете Scan бутона, за да започне проверката.
  • Когато проверката завърши, натиснете бутона save log, запазете съдържанието на лог файла на десктопа и публикувайте съдържанието му в следващия си коментар.

После кажете как е състоянието на машината.

Link to comment
Сподели другаде
GEORGIMV Новобранец

GEORGIMV

Публикувано
  • Author
Публикувано

ето го лога

на ASW

имаше 2 реда в жълто и един в червено

 

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software

Run date: 2012-02-13 20:49:53

-----------------------------

20:49:53.359 OS Version: Windows 5.1.2600 Service Pack 3

20:49:53.359 Number of processors: 1 586 0x2C02

20:49:53.359 ComputerName: USER-5397AF994D UserName: Administrator

20:49:54.453 Initialize success

20:57:15.359 AVAST engine defs: 12021301

20:59:18.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000062

20:59:18.828 Disk 0 Vendor: ST3160215A 3.AAD Size: 152627MB BusType: 3

20:59:18.859 Disk 0 MBR read successfully

20:59:18.859 Disk 0 MBR scan

20:59:20.718 Disk 0 Windows XP default MBR code

20:59:20.734 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51207 MB offset 63

20:59:22.156 Disk 0 Partition - 00 05 Extended 101418 MB offset 104872320

20:59:22.171 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 93220 MB offset 104872383

20:59:22.453 Disk 0 Partition - 00 05 Extended 8189 MB offset 295788780

20:59:22.484 Disk 0 scanning sectors +312576705

20:59:23.000 Disk 0 scanning C:\WINDOWS\system32\drivers

21:00:10.203 Service scanning

21:00:12.156 Service MpKsl47c1f531 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{434C6F01-598E-4AAB-B295-F5E28575FBA7}\MpKsl47c1f531.sys **LOCKED** 32

21:00:12.781 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32

21:00:13.531 Modules scanning

21:00:33.265 Disk 0 trace - called modules:

21:00:33.281 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvatabus.sys spbq.sys >>UNKNOWN [0x82591938]<<

21:00:33.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82524ab8]

21:00:33.281 3 CLASSPNP.SYS[f8685fd7] -> nt!IofCallDriver -> \Device\00000064[0x8251eb10]

21:00:33.296 5 ACPI.sys[f8431620] -> nt!IofCallDriver -> \Device\00000062[0x82525030]

21:00:34.406 AVAST engine scan C:\

21:04:23.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"

21:04:23.812 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Link to comment
Сподели другаде

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гост
Отговори на тази тема

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   Не можете да качите директно снимка. Качете или добавете изображението от линк (URL)

Loading...
×
 Share
Иди на предишната тема
×
×
  • Създай ново...