Проблем с вирус?

[lubbocom]

Мерси много за помощта! Сега ще инсталирам и ще чистя!

Доскоро!

[Behchet]

Имам същия проблем и от 6 часа се мъча да го махна :(

Значи пробвах с много програми... вече просто не знам какво да правя... Моля ви се, някой да ми помогне.

 

Ето и логовете:

MBAM

Malwarebytes' Anti-Malware 1.30

Database version: 1434

Windows 5.1.2600 Service Pack 2

 

29.11.2008 г. 21:33:23

mbam-log-2008-11-29 (21-33-23).txt

 

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 131443

Time elapsed: 1 hour(s), 50 minute(s), 39 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{8dfe3882-5474-4010-bf17-544d1d390117} (Rogue.PestPatrol) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fef72f04-58f1-433f-8b51-4c6e85b4605b} (Rogue.PestPatrol) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SoftLand Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\Administrator\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Favorites\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Favorites\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\c.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\p.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Favorites\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.

 

Hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 23:33:51, on 29.11.2008 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator\Desktop\alabala.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bg/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://quicktimepro.apple.com/?country=BG&...ersion=07038000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 212.214.41.186 test.managerzone.com

O1 - Hosts: 212.214.41.186 test.managerzone.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - C:\PROGRA~1\DOWNLO~1\dmiehlp.dll

O2 - BHO: Almsms - {E9B5BA28-C732-49DC-94CE-9079F7F75F4E} - C:\WINDOWS\system32\avt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [bigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe

O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Е&кспортирай в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:\Program Files\Download Master\dmieall.htm

O8 - Extra context menu item: Закачать при помощи Download Master - C:\Program Files\Download Master\dmie.htm

O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe

O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://212.214.41.186/applet/PowerLoader.cab

O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FA25DDE-6572-4A8A-8091-DA0F655B1122}: NameServer = 83.222.161.130,83.222.161.131

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

 

FixIEDef

Created at 23:04:00 on Saturday, November 29, 2008

 

Time Zone : (GMT+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius

 

Logged On User : Administrator

 

Operating System : Microsoft Windows XP Professional Service Pack 2

OS Version : 5.1.2600

System Langauge : English (United States)

Keyboard Layout : English (United States)

Processor : X86 Intel® Pentium® 4 CPU 1.60GHz

 

System Drive : C:\

Windows Directory : C:\WINDOWS

System Directory : C:\WINDOWS\system32

 

System Drive Type : Fixed

System Drive Status : READY

System Drive Label : Warning

System Drive Size : 12 GB

System Drive Free : 1.59 GB

 

Total Physical Memory: 511 MB

Free Physical Memory : 257 MB

Total Page File : 511 MB

Free Page File : 814 MB

Total Virtual Memory : 2048 MB

Free Virtual Memory : 1971 MB

 

Boot State : Normal boot

 

--------------------------------------------------------------------------------

 

!!! userinit.exe is Clean !!!

 

--------------------------------------------------------------------------------

 

!!! Files that have been deleted !!!

 

C:\WINDOWS\system32\drv2.dll

C:\WINDOWS\system32\drv1.dll

C:\WINDOWS\system32\drvc.dll

C:\WINDOWS\system32\tmp.reg

C:\WINDOWS\system32\tmp.txt

 

--------------------------------------------------------------------------------

 

!!! Directories that have been removed !!!

 

No malicious directories to be removed

 

--------------------------------------------------------------------------------

 

!!! Registry entries that have been removed !!!

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind "comment2"

 

================================================================================

 

All Done

 

ShadowPuterDude

 

Safe Surfing!!!

mbam_log.txt

[Night_Raven]

Постави отметки на следните обекти и удари Fix checked:

O1 - Hosts: 212.214.41.186 test.managerzone.com

O1 - Hosts: 212.214.41.186 test.managerzone.com

O2 - BHO: Almsms - {E9B5BA28-C732-49DC-94CE-9079F7F75F4E} - C:\WINDOWS\system32\avt.dll

O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://212.214.41.186/applet/PowerLoader.cab

O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

Иначе можеш да сканираш и със SUPERAntiSpyware Free.

Към това бих прибавил и ComboFix:

1) изтегли и стартирай;

2) изчакваш да се разархивира и потвърждаваш с Yes на двата прозореца;

3) изчакваш да приключи цялото сканиране и не кликаш по прозореца;

4) след като приключи всичко програмата ще се самозатвори и ще се създаде доклад (C:\ComboFix.txt);

5) рестартирай компютъра.

[Behchet]

Значи... сканирах със SUPERAntiSpyware... нищо не намери

После пуснах ComboFix

Рестартирах компа и пак се появява...

 

Ето лога:

ComboFix.txt

[Behchet]

Оправи се

 

tnx