Проблем с вирус на компютъра

[Bibilota]

ComboFix 09-01-21.04 - User4e 2009-01-24 14:20:56.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2047.1567 [GMT 2:00]

Running from: c:\documents and settings\User4e\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User4e\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

 

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\xircom

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\oobe

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\srchasst

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\program files\microsoft frontpage

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\User4e\Application Data\SUPERAntiSpyware.com

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\User4e\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-23 20:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 12:02 . 2007-09-19 11:11 1,959,832 -ra------ c:\windows\system32\drivers\RTKVHDA.sys

2009-01-23 11:13 . 2009-01-23 11:13 <DIR> d-------- c:\documents and settings\User4e\Application Data\Leadertech

2009-01-23 11:05 . 2009-01-23 11:05 <DIR> d-------- c:\program files\directx

2009-01-23 10:29 . 2009-01-23 10:29 0 --a------ c:\windows\PowerReg.dat

2009-01-22 16:13 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-22 07:44 . 2009-01-22 18:41 <DIR> d-------- c:\program files\ThreatFire

2009-01-22 07:44 . 2009-01-22 07:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools

2009-01-21 21:41 . 2009-01-22 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:32 . 2009-01-21 21:33 <DIR> d-------- c:\program files\True Sword 5

2009-01-21 21:02 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll

2009-01-21 21:02 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll

2009-01-21 20:42 . 2009-01-21 20:42 <DIR> d-------- c:\documents and settings\User4e\Application Data\True Sword

2009-01-21 18:57 . 2009-01-21 19:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-21 18:57 . 2009-01-21 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-11 19:33 . 2009-01-14 13:36 <DIR> d-------- c:\program files\GRETECH

2009-01-09 09:00 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll

2009-01-09 09:00 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll

2009-01-09 09:00 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll

2009-01-09 09:00 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll

2009-01-09 09:00 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll

2009-01-09 09:00 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll

2009-01-03 00:53 . 2009-01-12 20:19 <DIR> d-------- c:\program files\Google

2008-12-27 13:31 . 2008-12-27 13:31 <DIR> d-------- c:\program files\Neoact

2008-12-27 13:31 . 2007-02-05 13:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-12-27 13:31 . 2008-12-27 13:31 26 --a------ c:\windows\neosetup.INI

2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\VentSrv

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\windows\system32\LogFiles

2008-12-26 15:11 . 2008-12-27 12:48 682,280 --a------ c:\windows\system32\pbsvc.exe

2008-12-26 15:11 . 2008-12-30 08:52 138,464 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2008-12-26 15:11 . 2008-12-30 08:52 111,928 --a------ c:\windows\system32\PnkBstrB.exe

2008-12-26 15:11 . 2008-12-26 15:11 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2008-12-26 15:11 . 2008-12-27 12:48 22,328 --a------ c:\documents and settings\User4e\Application Data\PnkBstrK.sys

2008-12-25 12:00 . 2008-12-25 12:00 <DIR> d-------- c:\windows\Hired Guns

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 12:01 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-24 09:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-20 19:21 --------- d-----w c:\documents and settings\User4e\Application Data\Skype

2009-01-20 17:47 --------- d-----w c:\documents and settings\User4e\Application Data\skypePM

2009-01-20 11:02 --------- d-----w c:\documents and settings\User4e\Application Data\BSplayer PRO

2009-01-17 13:32 --------- d-----w c:\program files\Mv2Player

2009-01-17 12:12 --------- d-----w c:\program files\ICQToolbar

2009-01-17 11:58 --------- d-----w c:\program files\Winamp

2009-01-14 12:02 --------- d-----w c:\program files\Eset

2009-01-14 11:37 --------- d-----w c:\program files\Nokia

2009-01-11 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite

2009-01-04 17:21 --------- d-----w c:\program files\sms

2008-11-27 16:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-11-27 16:34 --------- d-----w c:\documents and settings\User4e\Application Data\Nokia

2008-11-27 16:32 --------- d-----w c:\documents and settings\User4e\Application Data\PC Suite

2008-11-27 16:28 --------- d-----w c:\program files\PC Connectivity Solution

2008-11-27 16:28 --------- d-----w c:\program files\DIFX

2008-11-27 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations

2008-11-27 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\Installations

2008-03-13 18:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-03-06 15:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-03-17 08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-24_13.34.03.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-24 11:33:20 53,248 ----a-w c:\windows\temp\catchme.dll

+ 2009-01-24 12:22:58 53,248 ----a-w c:\windows\temp\catchme.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 344064]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"DAEMON Tools-1033"="d:\install programs\daemon\daemon.exe" [2003-10-02 81920]

"HotKey"="c:\program files\HotKey\hotkey.exe" [2006-11-03 81920]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-26 949376]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-03-06 131584]

Logitech SetPoint.lnk - d:\install programs\Logitech G3 Software\SetPoint\SetPoint.exe [2008-03-13 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Install Programs\\ICQ\\ICQ.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12177:TCP"= 12177:TCP:BitComet 12177 TCP

"12177:UDP"= 12177:UDP:BitComet 12177 UDP

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

 

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-02 119552]

R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-09-27 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-26 15424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S3 autorun;autorun; [x]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WudfServiceGroup REG_SZ hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,00

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/english

IE: &D&ownload &with BitComet - d:\install programs\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - d:\install programs\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - d:\install programs\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - d:\instal~1\WEBTRA~1\wt2ie.dll

LSP: c:\windows\system32\imon.dll

TCP: {9B994A48-1E82-4C52-8FC0-250730B7AC0F} = 193.200.15.155,193.200.15.156

FF - ProfilePath - c:\documents and settings\User4e\Application Data\Mozilla\Firefox\Profiles\6bzxc9lj.default\

FF - prefs.js: browser.search.selectedEngine - ICQ Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=HWFSSep08FFAB&search=

FF - component: d:\install programs\Mozilla\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 14:22:59

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(748)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\imon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Eset\nod32krn.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-01-24 14:24:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-24 12:24:01

ComboFix2.txt 2009-01-24 11:34:36

 

Pre-Run: 25,164,546,048 bytes free

Post-Run: 25,155,833,856 bytes free

 

213 --- E O F --- 2008-03-16 14:44:47

[B-boy/StyLe/]

Можеш да изтриеш и следната папка (бях забравил да я добавя):

 

Затова един последен скрипт... (не, че не може да се изтрие и ръчно, но трябва да те карам да правиш скритите файлове видим и и т.н.).

 

Отвори Notepad и въведи:

 

Folder::
c:\documents and settings\User4e\Application Data\True Sword

sysrst::

 

Запази файла с име CFScript и отново го провлачи в иконата на Combofix.

 

Сега ще те помоля да архивираш папката C:\Qoobox и да я прикачиш в следващия си пост (или да я качиш на адрес http://www.4storing.com )

 

След това остава само да почистим от Combofix.

 

Отвори Start Menu => Run => въведи => combofix /u

 

http://i86.photobucket.com/albums/k86/alba123_2006/virus%20tool%20pics/combofix20u-1.jpg

 

Няма да е зле да поразчистиш и с CCLeaner (нарочно давам него, а не ATF-Cleaner, защото с него можеш да почистиш и регистрите).

 

Можеш да сложиш следните отметки и да избереш Run Cleaner:

 

http://img525.imageshack.us/img525/5296/11vz0.jpg

 

Почисти и регистрите, като те попита дали искаш да направиш backup, можеш да избереш NO, след това Fix ALL selected issues:

 

http://img525.imageshack.us/img525/6996/22no4.jpg

 

[Bibilota]

ComboFix 09-01-21.04 - User4e 2009-01-24 14:45:53.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2047.1598 [GMT 2:00]

Running from: c:\documents and settings\User4e\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User4e\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\User4e\Application Data\True Sword

 

.

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

 

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\xircom

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\oobe

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\srchasst

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\program files\microsoft frontpage

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\User4e\Application Data\SUPERAntiSpyware.com

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\User4e\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-23 20:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 12:02 . 2007-09-19 11:11 1,959,832 -ra------ c:\windows\system32\drivers\RTKVHDA.sys

2009-01-23 11:13 . 2009-01-23 11:13 <DIR> d-------- c:\documents and settings\User4e\Application Data\Leadertech

2009-01-23 11:05 . 2009-01-23 11:05 <DIR> d-------- c:\program files\directx

2009-01-23 10:29 . 2009-01-23 10:29 0 --a------ c:\windows\PowerReg.dat

2009-01-22 16:13 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-22 07:44 . 2009-01-22 18:41 <DIR> d-------- c:\program files\ThreatFire

2009-01-22 07:44 . 2009-01-22 07:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools

2009-01-21 21:41 . 2009-01-22 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:32 . 2009-01-21 21:33 <DIR> d-------- c:\program files\True Sword 5

2009-01-21 21:02 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll

2009-01-21 21:02 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll

2009-01-21 18:57 . 2009-01-21 19:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-21 18:57 . 2009-01-21 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-11 19:33 . 2009-01-14 13:36 <DIR> d-------- c:\program files\GRETECH

2009-01-09 09:00 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll

2009-01-09 09:00 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll

2009-01-09 09:00 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll

2009-01-09 09:00 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll

2009-01-09 09:00 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll

2009-01-09 09:00 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll

2009-01-03 00:53 . 2009-01-12 20:19 <DIR> d-------- c:\program files\Google

2008-12-27 13:31 . 2008-12-27 13:31 <DIR> d-------- c:\program files\Neoact

2008-12-27 13:31 . 2007-02-05 13:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-12-27 13:31 . 2008-12-27 13:31 26 --a------ c:\windows\neosetup.INI

2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\VentSrv

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\windows\system32\LogFiles

2008-12-26 15:11 . 2008-12-27 12:48 682,280 --a------ c:\windows\system32\pbsvc.exe

2008-12-26 15:11 . 2008-12-30 08:52 138,464 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2008-12-26 15:11 . 2008-12-30 08:52 111,928 --a------ c:\windows\system32\PnkBstrB.exe

2008-12-26 15:11 . 2008-12-26 15:11 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2008-12-26 15:11 . 2008-12-27 12:48 22,328 --a------ c:\documents and settings\User4e\Application Data\PnkBstrK.sys

2008-12-25 12:00 . 2008-12-25 12:00 <DIR> d-------- c:\windows\Hired Guns

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 12:01 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-24 09:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-20 19:21 --------- d-----w c:\documents and settings\User4e\Application Data\Skype

2009-01-20 17:47 --------- d-----w c:\documents and settings\User4e\Application Data\skypePM

2009-01-20 11:02 --------- d-----w c:\documents and settings\User4e\Application Data\BSplayer PRO

2009-01-17 13:32 --------- d-----w c:\program files\Mv2Player

2009-01-17 12:12 --------- d-----w c:\program files\ICQToolbar

2009-01-17 11:58 --------- d-----w c:\program files\Winamp

2009-01-14 12:02 --------- d-----w c:\program files\Eset

2009-01-14 11:37 --------- d-----w c:\program files\Nokia

2009-01-11 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite

2009-01-04 17:21 --------- d-----w c:\program files\sms

2008-11-27 16:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-11-27 16:34 --------- d-----w c:\documents and settings\User4e\Application Data\Nokia

2008-11-27 16:32 --------- d-----w c:\documents and settings\User4e\Application Data\PC Suite

2008-11-27 16:28 --------- d-----w c:\program files\PC Connectivity Solution

2008-11-27 16:28 --------- d-----w c:\program files\DIFX

2008-11-27 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations

2008-11-27 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\Installations

2008-03-13 18:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-03-06 15:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-03-17 08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-24_13.34.03.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-24 11:33:20 53,248 ----a-w c:\windows\temp\catchme.dll

+ 2009-01-24 12:46:36 53,248 ----a-w c:\windows\temp\catchme.dll

.

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\HideWin.exe

2009-01-23 12:32 315392 {16542E06-83A1-4737-8BEA-76BA5C34B5E0}\RP221\A0077846.exe

2009-01-24 14:01 319488 {16542E06-83A1-4737-8BEA-76BA5C34B5E0}\RP222\A0077847.exe

 

c:\windows\RtlExUpd.dll

2008-08-25 16:17 528384 {16542E06-83A1-4737-8BEA-76BA5C34B5E0}\RP222\A0077848.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 344064]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"DAEMON Tools-1033"="d:\install programs\daemon\daemon.exe" [2003-10-02 81920]

"HotKey"="c:\program files\HotKey\hotkey.exe" [2006-11-03 81920]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-26 949376]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-03-06 131584]

Logitech SetPoint.lnk - d:\install programs\Logitech G3 Software\SetPoint\SetPoint.exe [2008-03-13 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Install Programs\\ICQ\\ICQ.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12177:TCP"= 12177:TCP:BitComet 12177 TCP

"12177:UDP"= 12177:UDP:BitComet 12177 UDP

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

 

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-02 119552]

R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-09-27 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-26 15424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S3 autorun;autorun; [x]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WudfServiceGroup REG_SZ hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,00

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/english

IE: &D&ownload &with BitComet - d:\install programs\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - d:\install programs\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - d:\install programs\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - d:\instal~1\WEBTRA~1\wt2ie.dll

LSP: c:\windows\system32\imon.dll

TCP: {9B994A48-1E82-4C52-8FC0-250730B7AC0F} = 193.200.15.155,193.200.15.156

FF - ProfilePath - c:\documents and settings\User4e\Application Data\Mozilla\Firefox\Profiles\6bzxc9lj.default\

FF - prefs.js: browser.search.selectedEngine - ICQ Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=HWFSSep08FFAB&search=

FF - component: d:\install programs\Mozilla\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 14:46:36

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(748)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\imon.dll

.

Completion time: 2009-01-24 14:47:20

ComboFix-quarantined-files.txt 2009-01-24 12:47:15

ComboFix2.txt 2009-01-24 12:24:08

ComboFix3.txt 2009-01-24 11:34:36

 

Pre-Run: 25,140,248,576 bytes free

Post-Run: 25,131,393,024 bytes free

 

215 --- E O F --- 2008-03-16 14:44:47

Qoobox.rar

[B-boy/StyLe/]

Благодаря за папката Qoobox.

 

Жалко, че е този боклук True Sword 5 е липсвал в Add/Remove Programs.

 

Изтрий и папката = > c:\program files\True Sword 5

 

Деинсталирай Combofix и почисти с CCLeaner.

[Bibilota]

Time Module Object Name Threat Action User Information

2009-01-24 15:14 IMON file http://78.128.18.48:7802/hqpxum a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM

2009-01-24 15:14 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.AA worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

 

 

Кажете пак се появиха

[Maniac]

А Conficker-чето.... Предлагам ти да деинсталираш NOD32 v2 и да си сложиш NOD32 v3/v4, които се справят с него на 100%.

 

Иначе:

 

1. Изтегли следните обновления: MS08-067, MS08-068 и MS09-001.

3. Изтегли: EConfickerRemover

4. Изключи интернета

5. Инсталирай обновленията

6. Стартирай EConfickerRemover и следвай инструкциите

[B-boy/StyLe/]

Ами това лиспваше в логовете...

 

Инсталирай кръпките които е предложил Fixer

 

Сканирай с неговия инструмент и почисти.

 

Ако проблема остане от полза ще ти бъдат и следните тулчета:

 

http://www.malwarebytes.org/forums/index.p...ost&p=49836

 

Успех !