Jump to content

Проблем с вирус на компютъра


Препоръчан пост

ComboFix 09-01-21.04 - User4e 2009-01-24 14:20:56.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2047.1567 [GMT 2:00]

Running from: c:\documents and settings\User4e\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User4e\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

 

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\xircom

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\oobe

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\srchasst

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\program files\microsoft frontpage

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\User4e\Application Data\SUPERAntiSpyware.com

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\User4e\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-23 20:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 12:02 . 2007-09-19 11:11 1,959,832 -ra------ c:\windows\system32\drivers\RTKVHDA.sys

2009-01-23 11:13 . 2009-01-23 11:13 <DIR> d-------- c:\documents and settings\User4e\Application Data\Leadertech

2009-01-23 11:05 . 2009-01-23 11:05 <DIR> d-------- c:\program files\directx

2009-01-23 10:29 . 2009-01-23 10:29 0 --a------ c:\windows\PowerReg.dat

2009-01-22 16:13 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-22 07:44 . 2009-01-22 18:41 <DIR> d-------- c:\program files\ThreatFire

2009-01-22 07:44 . 2009-01-22 07:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools

2009-01-21 21:41 . 2009-01-22 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:32 . 2009-01-21 21:33 <DIR> d-------- c:\program files\True Sword 5

2009-01-21 21:02 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll

2009-01-21 21:02 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll

2009-01-21 20:42 . 2009-01-21 20:42 <DIR> d-------- c:\documents and settings\User4e\Application Data\True Sword

2009-01-21 18:57 . 2009-01-21 19:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-21 18:57 . 2009-01-21 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-11 19:33 . 2009-01-14 13:36 <DIR> d-------- c:\program files\GRETECH

2009-01-09 09:00 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll

2009-01-09 09:00 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll

2009-01-09 09:00 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll

2009-01-09 09:00 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll

2009-01-09 09:00 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll

2009-01-09 09:00 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll

2009-01-03 00:53 . 2009-01-12 20:19 <DIR> d-------- c:\program files\Google

2008-12-27 13:31 . 2008-12-27 13:31 <DIR> d-------- c:\program files\Neoact

2008-12-27 13:31 . 2007-02-05 13:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-12-27 13:31 . 2008-12-27 13:31 26 --a------ c:\windows\neosetup.INI

2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\VentSrv

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\windows\system32\LogFiles

2008-12-26 15:11 . 2008-12-27 12:48 682,280 --a------ c:\windows\system32\pbsvc.exe

2008-12-26 15:11 . 2008-12-30 08:52 138,464 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2008-12-26 15:11 . 2008-12-30 08:52 111,928 --a------ c:\windows\system32\PnkBstrB.exe

2008-12-26 15:11 . 2008-12-26 15:11 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2008-12-26 15:11 . 2008-12-27 12:48 22,328 --a------ c:\documents and settings\User4e\Application Data\PnkBstrK.sys

2008-12-25 12:00 . 2008-12-25 12:00 <DIR> d-------- c:\windows\Hired Guns

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 12:01 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-24 09:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-20 19:21 --------- d-----w c:\documents and settings\User4e\Application Data\Skype

2009-01-20 17:47 --------- d-----w c:\documents and settings\User4e\Application Data\skypePM

2009-01-20 11:02 --------- d-----w c:\documents and settings\User4e\Application Data\BSplayer PRO

2009-01-17 13:32 --------- d-----w c:\program files\Mv2Player

2009-01-17 12:12 --------- d-----w c:\program files\ICQToolbar

2009-01-17 11:58 --------- d-----w c:\program files\Winamp

2009-01-14 12:02 --------- d-----w c:\program files\Eset

2009-01-14 11:37 --------- d-----w c:\program files\Nokia

2009-01-11 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite

2009-01-04 17:21 --------- d-----w c:\program files\sms

2008-11-27 16:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-11-27 16:34 --------- d-----w c:\documents and settings\User4e\Application Data\Nokia

2008-11-27 16:32 --------- d-----w c:\documents and settings\User4e\Application Data\PC Suite

2008-11-27 16:28 --------- d-----w c:\program files\PC Connectivity Solution

2008-11-27 16:28 --------- d-----w c:\program files\DIFX

2008-11-27 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations

2008-11-27 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\Installations

2008-03-13 18:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-03-06 15:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-03-17 08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-24_13.34.03.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-24 11:33:20 53,248 ----a-w c:\windows\temp\catchme.dll

+ 2009-01-24 12:22:58 53,248 ----a-w c:\windows\temp\catchme.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 344064]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"DAEMON Tools-1033"="d:\install programs\daemon\daemon.exe" [2003-10-02 81920]

"HotKey"="c:\program files\HotKey\hotkey.exe" [2006-11-03 81920]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-26 949376]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-03-06 131584]

Logitech SetPoint.lnk - d:\install programs\Logitech G3 Software\SetPoint\SetPoint.exe [2008-03-13 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Install Programs\\ICQ\\ICQ.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12177:TCP"= 12177:TCP:BitComet 12177 TCP

"12177:UDP"= 12177:UDP:BitComet 12177 UDP

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

 

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-02 119552]

R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-09-27 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-26 15424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S3 autorun;autorun; [x]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WudfServiceGroup REG_SZ hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,00

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/english

IE: &D&ownload &with BitComet - d:\install programs\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - d:\install programs\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - d:\install programs\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - d:\instal~1\WEBTRA~1\wt2ie.dll

LSP: c:\windows\system32\imon.dll

TCP: {9B994A48-1E82-4C52-8FC0-250730B7AC0F} = 193.200.15.155,193.200.15.156

FF - ProfilePath - c:\documents and settings\User4e\Application Data\Mozilla\Firefox\Profiles\6bzxc9lj.default\

FF - prefs.js: browser.search.selectedEngine - ICQ Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=HWFSSep08FFAB&search=

FF - component: d:\install programs\Mozilla\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 14:22:59

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(748)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\imon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Eset\nod32krn.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-01-24 14:24:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-24 12:24:01

ComboFix2.txt 2009-01-24 11:34:36

 

Pre-Run: 25,164,546,048 bytes free

Post-Run: 25,155,833,856 bytes free

 

213 --- E O F --- 2008-03-16 14:44:47

Link to comment
Сподели другаде

Можеш да изтриеш и следната папка (бях забравил да я добавя):

 

Затова един последен скрипт... (не, че не може да се изтрие и ръчно, но трябва да те карам да правиш скритите файлове видим и и т.н.).

 

Отвори Notepad и въведи:

 

Folder::
c:\documents and settings\User4e\Application Data\True Sword

sysrst::

 

Запази файла с име CFScript и отново го провлачи в иконата на Combofix.

 

Сега ще те помоля да архивираш папката C:\Qoobox и да я прикачиш в следващия си пост (или да я качиш на адрес http://www.4storing.com )

 

След това остава само да почистим от Combofix.

 

Отвори Start Menu => Run => въведи => combofix /u

 

http://i86.photobucket.com/albums/k86/alba123_2006/virus%20tool%20pics/combofix20u-1.jpg

 

Няма да е зле да поразчистиш и с CCLeaner (нарочно давам него, а не ATF-Cleaner, защото с него можеш да почистиш и регистрите).

 

Можеш да сложиш следните отметки и да избереш Run Cleaner:

 

http://img525.imageshack.us/img525/5296/11vz0.jpg

 

Почисти и регистрите, като те попита дали искаш да направиш backup, можеш да избереш NO, след това Fix ALL selected issues:

 

http://img525.imageshack.us/img525/6996/22no4.jpg

 

:thumbsup:

Link to comment
Сподели другаде

ComboFix 09-01-21.04 - User4e 2009-01-24 14:45:53.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2047.1598 [GMT 2:00]

Running from: c:\documents and settings\User4e\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User4e\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\User4e\Application Data\True Sword

 

.

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

 

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\xircom

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\system32\oobe

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\windows\srchasst

2009-01-24 13:28 . 2009-01-24 13:28 <DIR> d-------- c:\program files\microsoft frontpage

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\User4e\Application Data\SUPERAntiSpyware.com

2009-01-24 11:35 . 2009-01-24 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\User4e\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-23 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-23 20:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-23 20:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 12:02 . 2007-09-19 11:11 1,959,832 -ra------ c:\windows\system32\drivers\RTKVHDA.sys

2009-01-23 11:13 . 2009-01-23 11:13 <DIR> d-------- c:\documents and settings\User4e\Application Data\Leadertech

2009-01-23 11:05 . 2009-01-23 11:05 <DIR> d-------- c:\program files\directx

2009-01-23 10:29 . 2009-01-23 10:29 0 --a------ c:\windows\PowerReg.dat

2009-01-22 16:13 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-22 07:44 . 2009-01-22 18:41 <DIR> d-------- c:\program files\ThreatFire

2009-01-22 07:44 . 2009-01-22 07:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools

2009-01-21 21:41 . 2009-01-22 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:32 . 2009-01-21 21:33 <DIR> d-------- c:\program files\True Sword 5

2009-01-21 21:02 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll

2009-01-21 21:02 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll

2009-01-21 18:57 . 2009-01-21 19:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-21 18:57 . 2009-01-21 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-11 19:33 . 2009-01-14 13:36 <DIR> d-------- c:\program files\GRETECH

2009-01-09 09:00 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll

2009-01-09 09:00 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll

2009-01-09 09:00 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll

2009-01-09 09:00 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll

2009-01-09 09:00 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll

2009-01-09 09:00 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll

2009-01-03 00:53 . 2009-01-12 20:19 <DIR> d-------- c:\program files\Google

2008-12-27 13:31 . 2008-12-27 13:31 <DIR> d-------- c:\program files\Neoact

2008-12-27 13:31 . 2007-02-05 13:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-12-27 13:31 . 2008-12-27 13:31 26 --a------ c:\windows\neosetup.INI

2008-12-26 21:52 . 2008-12-26 21:52 <DIR> d-------- c:\program files\VentSrv

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\windows\system32\LogFiles

2008-12-26 15:11 . 2008-12-27 12:48 682,280 --a------ c:\windows\system32\pbsvc.exe

2008-12-26 15:11 . 2008-12-30 08:52 138,464 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2008-12-26 15:11 . 2008-12-30 08:52 111,928 --a------ c:\windows\system32\PnkBstrB.exe

2008-12-26 15:11 . 2008-12-26 15:11 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2008-12-26 15:11 . 2008-12-27 12:48 22,328 --a------ c:\documents and settings\User4e\Application Data\PnkBstrK.sys

2008-12-25 12:00 . 2008-12-25 12:00 <DIR> d-------- c:\windows\Hired Guns

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 12:01 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-24 09:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-20 19:21 --------- d-----w c:\documents and settings\User4e\Application Data\Skype

2009-01-20 17:47 --------- d-----w c:\documents and settings\User4e\Application Data\skypePM

2009-01-20 11:02 --------- d-----w c:\documents and settings\User4e\Application Data\BSplayer PRO

2009-01-17 13:32 --------- d-----w c:\program files\Mv2Player

2009-01-17 12:12 --------- d-----w c:\program files\ICQToolbar

2009-01-17 11:58 --------- d-----w c:\program files\Winamp

2009-01-14 12:02 --------- d-----w c:\program files\Eset

2009-01-14 11:37 --------- d-----w c:\program files\Nokia

2009-01-11 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite

2009-01-04 17:21 --------- d-----w c:\program files\sms

2008-11-27 16:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-11-27 16:34 --------- d-----w c:\documents and settings\User4e\Application Data\Nokia

2008-11-27 16:32 --------- d-----w c:\documents and settings\User4e\Application Data\PC Suite

2008-11-27 16:28 --------- d-----w c:\program files\PC Connectivity Solution

2008-11-27 16:28 --------- d-----w c:\program files\DIFX

2008-11-27 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations

2008-11-27 16:25 --------- d-----w c:\documents and settings\All Users\Application Data\Installations

2008-03-13 18:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-03-06 15:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

2008-03-17 08:54 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-03-17 08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-24_13.34.03.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-24 11:33:20 53,248 ----a-w c:\windows\temp\catchme.dll

+ 2009-01-24 12:46:36 53,248 ----a-w c:\windows\temp\catchme.dll

.

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\HideWin.exe

2009-01-23 12:32 315392 {16542E06-83A1-4737-8BEA-76BA5C34B5E0}\RP221\A0077846.exe

2009-01-24 14:01 319488 {16542E06-83A1-4737-8BEA-76BA5C34B5E0}\RP222\A0077847.exe

 

c:\windows\RtlExUpd.dll

2008-08-25 16:17 528384 {16542E06-83A1-4737-8BEA-76BA5C34B5E0}\RP222\A0077848.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 344064]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"DAEMON Tools-1033"="d:\install programs\daemon\daemon.exe" [2003-10-02 81920]

"HotKey"="c:\program files\HotKey\hotkey.exe" [2006-11-03 81920]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-26 949376]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-03-06 131584]

Logitech SetPoint.lnk - d:\install programs\Logitech G3 Software\SetPoint\SetPoint.exe [2008-03-13 805392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Install Programs\\ICQ\\ICQ.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12177:TCP"= 12177:TCP:BitComet 12177 TCP

"12177:UDP"= 12177:UDP:BitComet 12177 UDP

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

 

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-02 119552]

R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-09-27 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-26 15424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S3 autorun;autorun; [x]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WudfServiceGroup REG_SZ hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,00

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/english

IE: &D&ownload &with BitComet - d:\install programs\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - d:\install programs\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - d:\install programs\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - d:\instal~1\WEBTRA~1\wt2ie.dll

LSP: c:\windows\system32\imon.dll

TCP: {9B994A48-1E82-4C52-8FC0-250730B7AC0F} = 193.200.15.155,193.200.15.156

FF - ProfilePath - c:\documents and settings\User4e\Application Data\Mozilla\Firefox\Profiles\6bzxc9lj.default\

FF - prefs.js: browser.search.selectedEngine - ICQ Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=HWFSSep08FFAB&search=

FF - component: d:\install programs\Mozilla\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 14:46:36

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00

,79,00,73,00,00,00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49

,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00

,79,00,73,00,00,00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(748)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

 

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\imon.dll

.

Completion time: 2009-01-24 14:47:20

ComboFix-quarantined-files.txt 2009-01-24 12:47:15

ComboFix2.txt 2009-01-24 12:24:08

ComboFix3.txt 2009-01-24 11:34:36

 

Pre-Run: 25,140,248,576 bytes free

Post-Run: 25,131,393,024 bytes free

 

215 --- E O F --- 2008-03-16 14:44:47

Qoobox.rar

Link to comment
Сподели другаде

Благодаря за папката Qoobox.

 

Жалко, че е този боклук True Sword 5 е липсвал в Add/Remove Programs.

 

Изтрий и папката = > c:\program files\True Sword 5

 

Деинсталирай Combofix и почисти с CCLeaner. :thumbsup:

Link to comment
Сподели другаде

Time Module Object Name Threat Action User Information

2009-01-24 15:14 IMON file http://78.128.18.48:7802/hqpxum a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM

2009-01-24 15:14 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.AA worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

 

 

Кажете пак се появиха

Link to comment
Сподели другаде

А Conficker-чето.... Предлагам ти да деинсталираш NOD32 v2 и да си сложиш NOD32 v3/v4, които се справят с него на 100%.

 

Иначе:

 

1. Изтегли следните обновления: MS08-067, MS08-068 и MS09-001.

3. Изтегли: EConfickerRemover

4. Изключи интернета

5. Инсталирай обновленията

6. Стартирай EConfickerRemover и следвай инструкциите

Link to comment
Сподели другаде

Ами това лиспваше в логовете...

 

Инсталирай кръпките които е предложил Fixer

 

Сканирай с неговия инструмент и почисти.

 

Ако проблема остане от полза ще ти бъдат и следните тулчета:

 

http://www.malwarebytes.org/forums/index.p...ost&p=49836

 

Успех !

Link to comment
Сподели другаде

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гост
Отговори на тази тема

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   Не можете да качите директно снимка. Качете или добавете изображението от линк (URL)

Loading...
×
×
  • Създай ново...