Проблем с вирус на компютъра

[Bibilota]

Malwarebytes' Anti-Malware 1.33

Database version: 1687

Windows 5.1.2600 Service Pack 2

 

24.1.2009 г. 11:10:19

mbam-log-2009-01-24 (11-10-19).txt

 

Scan type: Quick Scan

Objects scanned: 54547

Time elapsed: 3 minute(s), 15 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

а със Sysinspector файла е прикачен.

 

Кажете какво да направя с тия вируси?

SysInspector_UNKNOWN_8D23467_090124_1111.zip

[Night_Raven]

Къде виждаш "вируси"? Аз "вируси" не виждам. Единственият боклук на компютъра ти, който виждам, е FlexType.

[Bibilota]

Nod32 ми хвана на компа че има вируси

[Night_Raven]

Чудесно. И как очакваш да помогнем, след като не даваш ама НИКАКВА информация, която да е от помощ? Да не си в детската градина още?

[Bibilota]

Това е последното .

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 01/24/2009 at 12:00 PM

 

Application Version : 4.25.1012

 

Core Rules Database Version : 3725

Trace Rules Database Version: 1699

 

Scan type : Quick Scan

Total Scan Time : 00:18:46

 

Memory items scanned : 207

Memory threats detected : 0

Registry items scanned : 371

Registry threats detected : 0

File items scanned : 8113

File threats detected : 19

 

Adware.Tracking Cookie

C:\Documents and Settings\User4e\Cookies\user4e@doubleclick[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@atdmt[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@apmebf[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@mediaplex[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@te.kontera[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@fastclick[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@kontera[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@ad.yieldmanager[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@clickaider[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@casalemedia[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@2o7[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@www.googleadservices[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@stat.dealtime[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@atwola[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@dealtime[1].txt

C:\Documents and Settings\User4e\Cookies\user4e@imrworldwide[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@enhance[2].txt

C:\Documents and Settings\User4e\Cookies\user4e@statcounter[1].txt

 

Adware.Vundo/Variant-MSFake

C:\INSTALL\DOTNET2.EXE

mbam_log_2009_01_24__11_55_05_.txt

SysInspector_UNKNOWN_8D23467_090124_1144.zip

[Maniac]

1. Спри System Restore:

 

Дясно кликване на MyComputer -> Properties -> "System Restore" tab. Сложете отметка на Turn off system restore и потвърдете с Apply. Сега махнете отметката от Turn off system restore и потвърдете с ОК.

 

2. Почисти временните файлове:

 

1. Изтеглете програмата от http://www.atribune.org/ccount/click.php?id=1

2. Запишете я на произволно място.

3. Стартирайте файла с администраторски права (не е нужна инсталация) .

4. Сложете отметки на всички без на Prefetch.

5. Изберете Empty Selected

 

3. Влезте в Safe Mode:

 

За да влезете в Safe Mode , натискайте продължително F8 от клавиатурата докато компютъра се стартира преди логото на Windows да се е появило .

Ще се отвори Windows Advanced Menu с доста опции , откъдето изберете някое от "Safe ... " опциите , в случая Safe Mode

 

4. Сканирайте с NOD32, като преди това се обедите, че настройките Ви са, като тези: тук.

 

Ако не се получи, направете следното:

 

1. Изтеглете ComboFix

2. Запазете го на десктопа

3. Влезте в Start -> Run... и въведете следната команда последвана от OK:

 

"%userprofile%\desktop\combofix.exe" /killall

 

4. След, като програмата приключи ще Ви се отвори Notepad, копирайте съдържанието му и го поставете в следващия си пост тук.

[Bibilota]

ComboFix 09-01-21.04 - User4e 2009-01-24 13:30:56.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2047.1696 [GMT 2:00]

Running from: c:\documents and settings\User4e\desktop\combofix.exe

Command switches used :: /killall

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

 

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\xircom

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\oobe

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\srchasst

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\program files\microsoft frontpage

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\User4e\Application Data\SUPERAntiSpyware.com

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\User4e\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-23 20:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 12:02 . 2007-09-19 11:11 1,959,832 -ra------ c:\windows\system32\drivers\RTKVHDA.sys

2009-01-23 11:13 . 2009-01-23 11:13 <DIR> d-------- c:\documents and settings\User4e\Application Data\Leadertech

2009-01-23 11:05 . 2009-01-23 11:05 <DIR> d-------- c:\program files\directx

2009-01-23 10:29 . 2009-01-23 10:29 0 --a------ c:\windows\PowerReg.dat

2009-01-22 16:13 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-22 07:44 . 2009-01-22 18:41 <DIR> d-------- c:\program files\ThreatFire

2009-01-22 07:44 . 2009-01-22 07:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools

2009-01-21 21:41 . 2009-01-22 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:32 . 2009-01-21 21:33 <DIR> d-------- c:\program files\True Sword 5

2009-01-21 21:02 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll

2009-01-21 21:02 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll

2009-01-21 20:42 . 2009-01-21 20:42 <DIR> d-------- c:\documents and settings\User4e\Application Data\True Sword

2009-01-21 18:57 . 2009-01-21 19:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-21 18:57 . 2009-01-21 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-11 19:33 . 2009-01-14 13:36 <DIR> d-------- c:\program files\GRETECH

2009-01-09 09:00 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll

2009-01-09 09:00 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll

2009-01-09 09:00 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll

2009-01-09 09:00 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll

2009-01-09 09:00 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll

2009-01-09 09:00 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll

2009-01-03 00:53 . 2009-01-12 20:19 <DIR> d-------- c:\program files\Google

2008-12-27 13:31 . 2008-12-27 13:31 <DIR> d-------- c:\program files\Neoact

2008-12-27 13:31 . 2007-02-05 13:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-12-27 13:31 . 2008-12-27 13:31 26 --a------ c:\windows\neosetup.INI

2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\VentSrv

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\windows\system32\LogFiles

2008-12-26 15:11 . 2008-12-27 12:48 682,280 --a------ c:\windows\system32\pbsvc.exe

2008-12-26 15:11 . 2008-12-30 08:52 138,464 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2008-12-26 15:11 . 2008-12-30 08:52 111,928 --a------ c:\windows\system32\PnkBstrB.exe

2008-12-26 15:11 . 2008-12-26 15:11 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2008-12-26 15:11 . 2008-12-27 12:48 22,328 --a------ c:\documents and settings\User4e\Application Data\PnkBstrK.sys

2008-12-25 12:00 . 2008-12-25 12:00 <DIR> d-------- c:\windows\Hired Guns

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 09:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-23 10:33 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-23 10:32 315,392 ----a-w c:\windows\HideWin.exe

2009-01-20 19:21 --------- d-----w c:\documents and settings\User4e\Application Data\Skype

2009-01-20 17:47 --------- d-----w c:\documents and settings\User4e\Application Data\skypePM

2009-01-20 11:02 --------- d-----w c:\documents and settings\User4e\Application Data\BSplayer PRO

2009-01-17 13:32 --------- d-----w c:\program files\Mv2Player

2009-01-17 12:12 --------- d-----w c:\program files\ICQToolbar

2009-01-17 11:58 --------- d-----w c:\program files\Winamp

2009-01-14 12:02 --------- d-----w c:\program files\Eset

2009-01-14 11:37 --------- d-----w c:\program files\Nokia

2009-01-11 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite

2009-01-04 17:21 --------- d-----w c:\program files\sms

2008-11-27 16:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-11-27 16:34 --------- d-----w c:\documents and settings\User4e\Application Data\Nokia

2008-11-27 16:32 --------- d-----w c:\documents and settings\User4e\Application Data\PC Suite

2008-11-27 16:28 --------- d-----w c:\program files\PC Connectivity Solution

2008-11-27 16:28 --------- d-----w c:\program files\DIFX

2008-11-27 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations

2008-11-27 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\Installations

2008-03-13 18:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-03-06 15:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-03-17 08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 344064]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"DAEMON Tools-1033"="d:\install programs\daemon\daemon.exe" [2003-10-02 81920]

"HotKey"="c:\program files\HotKey\hotkey.exe" [2006-11-03 81920]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-26 949376]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2007-12-07 c:\windows\system32\advpack.dll]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-03-06 131584]

Logitech SetPoint.lnk - d:\install programs\Logitech G3 Software\SetPoint\SetPoint.exe [2008-03-13 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Install Programs\\ICQ\\ICQ.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12177:TCP"= 12177:TCP:BitComet 12177 TCP

"12177:UDP"= 12177:UDP:BitComet 12177 UDP

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

 

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-02 119552]

R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-09-27 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-26 15424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WudfServiceGroup REG_SZ hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,00

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/english

IE: &D&ownload &with BitComet - d:\install programs\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - d:\install programs\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - d:\install programs\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - d:\instal~1\WEBTRA~1\wt2ie.dll

LSP: c:\windows\system32\imon.dll

TCP: {9B994A48-1E82-4C52-8FC0-250730B7AC0F} = 193.200.15.155,193.200.15.156

FF - ProfilePath - c:\documents and settings\User4e\Application Data\Mozilla\Firefox\Profiles\6bzxc9lj.default\

FF - prefs.js: browser.search.selectedEngine - ICQ Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=HWFSSep08FFAB&search=

FF - component: d:\install programs\Mozilla\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 13:33:21

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,0

0

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,0

0

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]

"ImagePath"="\??\C:\huadio.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,0

0

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,0

0

,79,00,73,00,00,00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(752)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(808)

c:\windows\system32\imon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Eset\nod32krn.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-01-24 13:34:35 - machine was rebooted [user4e]

ComboFix-quarantined-files.txt 2009-01-24 11:34:30

 

Pre-Run: 25,185,214,464 bytes free

Post-Run: 25,176,813,568 bytes free

 

212 --- E O F --- 2008-03-16 14:44:47

 

c:\windows\HideWin.exe

c:\documents and settings\All Users\Application Data\ezsid.dat

 

 

Eto tova mi dade

[Maniac]

Би ли прикачил към поста си следните два файла:

 

c:\windows\HideWin.exe

c:\documents and settings\All Users\Application Data\ezsid.dat

[Bibilota]

Мисля че се изчисти вече всичко.Сканирах с Nod32 и не откри вируси вече.

 

Много ти благодаря, Maniac .c:\windows\HideWin.exe

c:\documents and settings\All Users\Application Data\ezsid.dat

 

Смяташ ли че е изчистено вече всичко?

И това,което трябва да прикача към поста си - в предния ли трябваше?

[Maniac]

За нищо! За всеки случай прикачи тази два файла, за да ги погледна, просто за всеки случай.

[Bibilota]

Не ги намира тези файлове.

 

А и тази папка ми липсва Application Data.

 

На какво може да се дължи?

[Maniac]

Добре, няма проблем. Щом NOD32 не съобщава, значи всичко трябва да е наред.

[B-boy/StyLe/]

Само ще допълня колегата Fixer (ако позволи).

 

Деинсталирайте този боклук - True Sword 5 (от Control panel-a => Add/remove Programs).

[Bibilota]

Няма такава програма в Control Panel

[B-boy/StyLe/]

Няма такава програма в Control Panel

 

Грешката бе моя => бях написал IceSword (това си е една хубавичка Anti-rootkit програма) => исках да кажа True Sword 5 (боклук при това платен)

 

Скрипта бе поправен. Моля изпълнете го пак (ако вече сте го направили в предишния му вид):

 

Отворете Notepad и въведете:

 

KillAll::
Rootkit::
c:\huadio.tmp

Folder::
c:\program files\True Sword 5
c:\documents and settings\User4e\Application Data\True Sword

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-
"nltide_3"=-
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\autorun]
"ImagePath"=-

 

Запазете файла с име CFScript.txt и го провлачете с мишката в иконата на Combofix:

http://img522.imageshack.us/img522/482/cfscriptyr1.gif

 

Публикувайте новия лог файл в следващия си пост. Благодаря !