Jump to content

Проблем с премахването на вирус

MeGa
 Share

Препоръчан пост

MeGa Новобранец

MeGa

Публикувано
Публикувано

Вчера форматирах C-то и сложих Windows-a наново заради тоя вирусq, сега пак се появява.

Антивирусната естествено не може да го махне. Днес бяха се натрупали около 30 съобщения от антивирусната за вирус ,като тези на снимките, които съм качил само че на всяко съобщение пишеше различно.Мисля че проблемът идва от windows system32 drivers etc hosts защото до колкото съм забелязал това е единствената директория, която показва като съобщение за вирус.

Иначе пак ще го преинсталирам този път целя, но ме съмняват някои програмки като java и мисля, че пак може да хване вирус така, че реших да пиша първо тук.

Ако някой мисли, че може да помогне да пише.

post-8171-1234727319_thumb.jpg

post-8171-1234727345_thumb.jpg

post-8171-1234727350_thumb.jpg

Link to comment
Сподели другаде
Nicky Новобранец

Nicky

Публикувано
Публикувано

Пусни LOG файлове на HijackThis и Autoruns, за да видим дали няма някои нередности.

Изтегли http://www.softvisia.com/users/Night_Raven...his/alabala.exe (213KB), която съм преименувал нарочно, стартирай я и кликни Do a system scan and save a logfile. Това ще създаде текстов файл в същата папка. Копирай съдържанието му тук или прикачи файла към темата, както ти е по-удобно.

Изтегли http://www.softvisia.com/download.php?view.400, след това стартирай програмата и направи следното:

1) избери Options -> Hide Microsoft Entries;

2) кликни File -> Refresh;

3) кликни File -> Save as;

4) запази файла някъде и след това го прикачи към темата или му копирай съдържанието.

Link to comment
Сподели другаде
Night_Raven Ентусиаст

Night_Raven

Публикувано
Публикувано

Като за начало бих препоръчал да спреш за малко NOD32 (дори да го замениш с някоя по-съвременна антивирусна) и да сканираш със SUPERAntiSpyware Free и Malwarebytes' Anti-Malware.

 

Логовете от HijackThis и Autoruns също биха били полезни.

Link to comment
Сподели другаде
MeGa Новобранец

MeGa

Публикувано
  • Author
Публикувано

Антивирусната е за смяна но преди да преинсталирам windows-a бях с по- нова антивирусна и не помогна.

 

oт HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 00:05:20, on 16.2.2009 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Ivaylo\Desktop\alabala.exe

 

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [intel Physical Address Aventis 1.3] C:\WINDOWS\wciactrl.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A9E6D15-0F0D-455D-93EA-59BC712BC3CB}: NameServer = 195.24.90.1 195.24.88.1

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

 

от Autoruns

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll

+ SunJavaUpdateSched Java Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jusched.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ Intel Physical Address Aventis 1.3 c:\windows\wciactrl.exe

+ SUPERAntiSpyware SUPERAntiSpyware Application SUPERAntiSpyware.com c:\program files\superantispyware\superantispyware.exe

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

+ 0 File not found: About:Home

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

+ n/a c:\windows\wciactrl.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ SABShellExecuteHook Class ShellExecuteHook SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll

HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers

+ NOD32 Context Menu Shell Extension c:\program files\eset\nodshex.dll

+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll

+ Trojan Remover Trojan Remover Shell Extension Simply Super Software c:\program files\trojan remover\trshlex.dll

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers

+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll

HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers

+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Directory\Shellex\DragDropHandlers

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\common files\adobe\acrobat\activex\pdfshell.dll

HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers

+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll

+ NOD32 Context Menu Shell Extension c:\program files\eset\nodshex.dll

+ Trojan Remover Trojan Remover Shell Extension Simply Super Software c:\program files\trojan remover\trshlex.dll

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

+ 00nView NVIDIA Desktop Explorer, Version 111.75 NVIDIA Corporation c:\windows\system32\nvshell.dll

+ NvCplDesktopContext NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Desktop Explorer NVIDIA Desktop Explorer, Version 111.75 NVIDIA Corporation c:\windows\system32\nvshell.dll

+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 111.75 NVIDIA Corporation c:\windows\system32\nvshell.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll

+ NOD32 Context Menu Shell Extension c:\program files\eset\nodshex.dll

+ NvCpl DesktopContext Class NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll

+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 111.75 NVIDIA Corporation c:\windows\system32\nvshell.dll

+ Play on my TV helper NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll

+ Trojan Remover Shell Extension Trojan Remover Shell Extension Simply Super Software c:\program files\trojan remover\trshlex.dll

+ WinRAR shell extension c:\program files\winrar\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ Java Plug-In 2 SSV Helper Java Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jp2ssv.dll

+ Java Plug-In SSV Helper Java Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\ssv.dll

+ JQSIEStartDetectorImpl Class Java Quick Starter binary Sun Microsystems, Inc. c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

HKLM\System\CurrentControlSet\Services

+ JavaQuickStarterService Prefetches JRE files for faster startup of Java applets and applications Sun Microsystems, Inc. c:\program files\java\jre6\bin\jqs.exe

+ NOD32krn NOD32 Kernel Service Eset c:\program files\eset\nod32krn.exe

+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc32.exe

HKLM\System\CurrentControlSet\Services

+ ALCXSENS Sensaura WDM 3D Audio Driver Sensaura Ltd c:\windows\system32\drivers\alcxsens.sys

+ ALCXWDM Realtek AC'97 Audio Driver (WDM) Realtek Semiconductor Corp. c:\windows\system32\drivers\alcxwdm.sys

+ AMON Amon monitor Eset c:\windows\system32\drivers\amon.sys

+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys

+ E100B Intel® PRO/100 Adapter NDIS 5.1 driver Intel Corporation c:\windows\system32\drivers\e100b325.sys

+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys

+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys

+ nod32drv c:\windows\system32\drivers\nod32drv.sys

+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 175.19 NVIDIA Corporation c:\windows\system32\drivers\nv4_mini.sys

+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys

+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys

+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys

+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys

+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys

+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys

+ rtl8139 Realtek RTL8139 NDIS 5.0 Driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys

+ SASDIFSV SASDIFSV.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasdifsv.sys

+ SASENUM SASENUM.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasenum.sys

+ SASKUTIL SASKUTIL.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\saskutil.sys

+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys

+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ !SASWinLogon SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

+ 000000000001 NOD32 IMON - Internet scanning support Eset c:\windows\system32\imon.dll

+ 000000000002 NOD32 IMON - Internet scanning support Eset c:\windows\system32\imon.dll

+ 000000000003 NOD32 IMON - Internet scanning support Eset c:\windows\system32\imon.dll

+ 000000000004 NOD32 IMON - Internet scanning support Eset c:\windows\system32\imon.dll

+ 000000000005 NOD32 IMON - Internet scanning support Eset c:\windows\system32\imon.dll

+ 000000000011 NOD32 IMON - Internet scanning support Eset c:\windows\system32\imon.dll

 

 

 

от Malwarebytes' Anti-Malware

 

 

Malwarebytes' Anti-Malware 1.34

Database version: 1763

Windows 5.1.2600 Service Pack 2

 

16.2.2009 г. 00:01:47

mbam-log-2009-02-16 (00-01-44).txt

 

Scan type: Quick Scan

Objects scanned: 55605

Time elapsed: 1 minute(s), 48 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

тази грешка винаги я дава я намира и аз винаги и давам remove :)

 

 

SUPERAntiSpyware Free не намира нищо.

Link to comment
Сподели другаде
MeGa Новобранец

MeGa

Публикувано
  • Author
Публикувано

Логовете са 1:1 ,но преди бях fix-нал целия лог от hijackthis,

в файла hosts няма нищо.

С по-стар Nod 32 сам Version of signatures: 3853(20090214), като му дам update пише ,че е последна версия и не му е нужен .

Виж какво показва trojan remover.Като го премахна на следващoто сканиране пак се появява.

post-8171-1234791296_thumb.jpg

Link to comment
Сподели другаде
Night_Raven Ентусиаст

Night_Raven

Публикувано
Публикувано
Логовете са 1:1 ,но преди бях fix-нал целия лог от hijackthis,

Кога е това "преди"? Искаш да кажеш, че си поставил отметки на всичките обекти и си кликнал Fix checked?

Link to comment
Сподели другаде
MeGa Новобранец

MeGa

Публикувано
  • Author
Публикувано
ами като гледам няма никаква промяна след като ги fix-нах, то без това като гледам е безнадежден случай :) сега сам изключил антивирусната и всичко си върви добре, като почне да запича преинстал и готово :)
Link to comment
Сподели другаде
Night_Raven Ентусиаст

Night_Raven

Публикувано
Публикувано
Изтегли GMER. Разархивирай и стартирай програмата. Тя ще направи начално сканиране за секунди. След като то приключи НЕ кликай бутон Scan, а кликни бутон Copy и после пейстни съдържанието тук (Ctrl+V).
Link to comment
Сподели другаде
MeGa Новобранец

MeGa

Публикувано
  • Author
Публикувано

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-02-16 22:40:04

Windows 5.1.2600 Service Pack 2

 

 

---- Devices - GMER 1.0.14 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

 

---- EOF - GMER 1.0.14 ----

Link to comment
Сподели другаде
Night_Raven Ентусиаст

Night_Raven

Публикувано
Публикувано

Дявол да го вземе, логовете изглеждат чисти. Или антивирусната има някакъв проблем, или има някакъв друг, по-сериозен проблем.

 

Изтегли ComboFix и го запази на десктопа. Спри всички ненужни програми. Меню Start -> Run -> напиши/пейстни следния текст:

"%userprofile%\desktop\combofix.exe" /killall

Потвърди с Yes на прозорците, които се появяват. Изчакай да сканира докрай и не закачай прозореца.. По всяка вероятност ще поиска рестарт, на което се съгласи. След това пейстни съдържанието на текстовия файл C:\ComboFix.txt тук или прикачи файла към коментара си.

Link to comment
Сподели другаде
MeGa Новобранец

MeGa

Публикувано
  • Author
Публикувано

ComboFix 09-02-15.01 - Ivaylo 2009-02-17 15:53:38.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.511.295 [GMT 2:00]

Running from: c:\documents and settings\Ivaylo\desktop\combofix.exe

Command switches used :: /killall

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\ammppg.dll

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_SYSDRV32

 

 

((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))

.

 

2009-02-16 22:45 . 2009-02-16 22:45 65,664 --a------ c:\windows\system32\81.scr

2009-02-16 22:39 . 2009-02-16 22:40 250 --a------ c:\windows\gmer.ini

2009-02-16 21:51 . 2009-02-16 21:51 65,664 --a------ c:\windows\system32\80.scr

2009-02-16 20:34 . 2009-02-17 15:52 3 --a------ c:\windows\switch.inf

2009-02-16 17:53 . 2009-02-16 17:53 65,664 --a------ c:\windows\system32\15.scr

2009-02-16 17:21 . 2009-02-16 17:21 65,664 --a------ c:\windows\system32\32.scr

2009-02-15 23:45 . 2009-02-15 23:45 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-15 23:45 . 2009-02-15 23:45 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-15 23:45 . 2009-02-15 23:45 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\SUPERAntiSpyware.com

2009-02-15 23:45 . 2009-02-15 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-15 21:25 . 2009-02-15 21:25 65,664 --a------ c:\windows\system32\66.scr

2009-02-15 20:45 . 2009-02-15 20:45 464,896 -r-hs---- c:\windows\wciactrl.exe

2009-02-15 20:45 . 2009-02-15 20:45 65,664 --a------ c:\windows\system32\12.scr

2009-02-15 19:19 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix

2009-02-15 19:13 . 2009-02-15 19:13 410,984 --a------ c:\windows\system32\deploytk.dll

2009-02-15 19:13 . 2009-02-15 19:13 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-15 18:31 . 2009-02-15 18:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-15 18:31 . 2009-02-15 18:31 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\Malwarebytes

2009-02-15 18:31 . 2009-02-15 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-15 18:31 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-15 18:31 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-15 18:08 . 2009-02-15 18:08 <DIR> d-------- c:\program files\CCleaner

2009-02-15 17:37 . 2009-02-15 17:37 <DIR> d-------- c:\program files\Trend Micro

2009-02-15 17:14 . 2009-02-15 17:14 65,664 --a------ c:\windows\system32\62.scr

2009-02-15 16:27 . 2009-02-15 16:27 65,664 --a------ c:\windows\system32\01.scr

2009-02-15 16:21 . 2009-02-15 16:21 65,664 --a------ c:\windows\system32\31.scr

2009-02-14 22:10 . 2009-02-16 15:29 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-02-14 22:09 . 2009-02-14 22:10 <DIR> d-------- c:\program files\Trojan Remover

2009-02-14 22:09 . 2009-02-14 22:09 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\Simply Super Software

2009-02-14 22:09 . 2009-02-14 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software

2009-02-14 22:09 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll

2009-02-14 22:09 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll

2009-02-14 22:09 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll

2009-02-14 22:09 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll

2009-02-14 22:09 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll

2009-02-14 22:07 . 2009-02-15 19:22 464,896 -rahs---- c:\windows\wciactrl.exe.vir

2009-02-14 22:07 . 2009-02-14 22:07 162,304 -r-hs---- c:\windows\system32\txsocm32.dll

2009-02-14 22:07 . 2009-02-14 22:07 39,936 -r-hs---- c:\windows\system32\frnscli32.dll

2009-02-14 22:06 . 2009-02-14 22:06 65,664 --a------ c:\windows\system32\84.scr

2009-02-14 13:35 . 2009-02-14 13:35 26,624 --a------ c:\windows\system32\06.scr

2009-02-14 13:34 . 2009-02-14 13:34 <DIR> d-------- c:\program files\Webteh

2009-02-14 13:34 . 2009-02-14 13:35 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\BSplayer Pro

2009-02-14 12:52 . 2009-02-14 12:52 26,624 --a------ c:\windows\system32\41.scr

2009-02-13 23:05 . 2009-02-13 23:05 <DIR> d-------- c:\windows\system32\Lang

2009-02-13 23:05 . 2009-02-13 23:05 146,650 --a------ c:\windows\system32\BuzzingBee.wav

2009-02-13 23:05 . 2009-02-13 23:05 125,690 --a------ c:\windows\system32\LoopyMusic.wav

2009-02-13 22:39 . 2009-02-13 22:39 26,624 --a------ c:\windows\system32\38.scr

2009-02-13 21:50 . 2009-02-13 21:50 26,624 --a------ c:\windows\system32\68.scr

2009-02-13 21:15 . 2009-02-16 16:38 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\uTorrent

2009-02-13 20:54 . 2009-02-13 20:54 <DIR> d-------- c:\program files\foobar2000

2009-02-13 20:54 . 2009-02-16 17:04 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\foobar2000

2009-02-13 20:46 . 2009-02-13 20:46 <DIR> d-------- c:\windows\nview

2009-02-13 20:46 . 2008-05-16 14:01 446,464 --a------ c:\windows\system32\nvudisp.exe

2009-02-13 20:46 . 2009-02-17 15:56 186,097 --a------ c:\windows\system32\nvapps.xml

2009-02-13 20:46 . 2008-05-16 14:01 18,070 --a------ c:\windows\system32\nvdisp.nvu

2009-02-13 20:45 . 2009-02-13 20:45 <DIR> d-------- C:\NVIDIA

2009-02-13 20:45 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE

2009-02-13 20:43 . 2009-02-13 20:43 <DIR> d-------- c:\program files\Common Files\Skype

2009-02-13 20:34 . 2009-02-13 20:34 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2009-02-13 20:30 . 2009-02-13 20:30 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-13 20:30 . 2009-02-13 20:30 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\vlc

2009-02-13 20:29 . 2009-02-13 20:30 <DIR> d-------- c:\program files\Common Files\Adobe

2009-02-13 20:28 . 2009-02-13 20:28 <DIR> d-------- c:\program files\VideoLAN

2009-02-13 20:16 . 2004-08-04 01:56 221,184 --a------ c:\windows\system32\wmpns.dll

2009-02-13 20:13 . 2009-02-13 20:13 <DIR> d-------- c:\windows\system32\LogFiles

2009-02-13 20:13 . 2009-02-13 20:14 <DIR> d-------- c:\windows\system32\drivers\UMDF

2009-02-13 20:13 . 2006-09-25 17:58 23,856 --a------ c:\windows\system32\spupdsvc.exe

2009-02-13 20:07 . 2009-02-13 20:07 <DIR> d-------- c:\windows\Sun

2009-02-13 20:02 . 2009-02-13 20:42 <DIR> d-------- c:\program files\NOS

2009-02-13 20:02 . 2009-02-13 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-02-13 19:54 . 2009-02-17 15:42 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\skypePM

2009-02-13 19:54 . 2009-02-13 19:54 56 --ah----- c:\windows\system32\ezsidmv.dat

2009-02-13 19:53 . 2009-02-17 15:43 <DIR> d-------- c:\documents and settings\Ivaylo\Application Data\Skype

2009-02-13 19:52 . 2009-02-13 20:43 <DIR> dr------- c:\program files\Skype

2009-02-13 19:52 . 2009-02-13 20:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

2009-02-13 19:45 . 2009-02-13 19:45 0 --a------ c:\windows\nsreg.dat

2009-02-13 19:03 . 2001-08-17 15:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys

2009-02-13 19:02 . 2008-05-16 14:01 6,557,408 --a------ c:\windows\system32\drivers\nv4_mini.sys

2009-02-13 19:02 . 2008-05-16 14:01 6,557,408 --a--c--- c:\windows\system32\dllcache\nv4_mini.sys

2009-02-13 19:02 . 2008-05-16 14:01 6,108,928 --a------ c:\windows\system32\nv4_disp.dll

2009-02-13 19:02 . 2003-03-04 05:56 145,408 -ra------ c:\windows\system32\drivers\e100b325.sys

2009-02-13 19:02 . 2003-03-04 05:56 145,408 --a--c--- c:\windows\system32\dllcache\e100b325.sys

2009-02-13 19:02 . 2004-08-04 00:59 57,472 --a------ c:\windows\system32\drivers\redbook.sys

2009-02-13 19:02 . 2004-08-04 00:31 20,992 --a------ c:\windows\system32\drivers\RTL8139.sys

2009-02-13 19:02 . 2004-08-04 01:08 10,624 --a------ c:\windows\system32\drivers\gameenum.sys

2009-02-13 19:01 . 2004-08-04 02:56 74,240 --a------ c:\windows\system32\usbui.dll

2009-02-13 19:01 . 2004-08-04 01:07 42,368 --a------ c:\windows\system32\drivers\AGP440.SYS

2009-02-13 19:01 . 2004-08-04 00:59 5,504 --a------ c:\windows\system32\drivers\intelide.sys

2009-02-13 19:00 . 2009-02-13 17:12 <DIR> dr------- c:\documents and settings\All Users\Documents

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-15 17:13 --------- d-----w c:\program files\Java

2009-02-15 16:37 --------- d-----w c:\program files\ESET

2009-02-13 18:15 --------- d-----w c:\program files\Windows Media Connect 2

2009-02-13 18:13 --------- d-----w c:\program files\Common Files\InstallShield

2009-02-13 16:48 --------- d-----w c:\program files\K-Lite Codec Pack

2009-02-13 16:47 --------- d-----w c:\program files\Gaberoff Koral

2009-02-13 16:39 --------- d-----w c:\program files\SA Dictionary 2005 T2

2009-02-13 16:27 --------- d-----w c:\program files\AnMing

2009-02-13 16:24 --------- d-----w c:\program files\SkyCode

2009-02-13 16:22 --------- d-----w c:\program files\Common Files\Java

2009-02-13 16:19 --------- d-----w c:\program files\Microsoft ActiveSync

2009-02-13 16:16 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-13 16:16 --------- d-----w c:\program files\A4-Tech

2009-02-13 16:16 --------- d-----w c:\documents and settings\Ivaylo\Application Data\InstallShield

2009-02-13 15:58 --------- d-----w c:\program files\Realtek Sound Manager

2009-02-13 15:58 --------- d-----w c:\program files\AvRack

2009-02-13 15:54 512,096 ----a-w c:\windows\system32\drivers\amon.sys

2009-02-13 15:54 299,392 ----a-w c:\windows\system32\imon.dll

2009-02-13 15:54 15,424 ----a-w c:\windows\system32\drivers\nod32drv.sys

2009-02-13 15:17 --------- d-----w c:\program files\microsoft frontpage

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Intel Physical Address Aventis 1.3"="c:\windows\wciactrl.exe" [2009-02-15 464896]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 136600]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Intel Physical Address Aventis 1.3"="c:\windows\wciactrl.exe" [2009-02-15 464896]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Games\\cs\\59579088499187464721.exe"=

"d:\\µTorrent\\uTorrent.exe"=

"d:\\Games\\cs\\88479782745917389057.exe"=

"c:\\WINDOWS\\System32\\68.scr"=

"c:\\WINDOWS\\System32\\38.scr"=

"c:\\WINDOWS\\System32\\41.scr"=

"c:\\WINDOWS\\System32\\06.scr"=

"d:\\Games\\cs\\80250369886764936677.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-13 15424]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Intel Physical Address Aventis 1.3]

c:\windows\wciactrl.exe

.

- - - - ORPHANS REMOVED - - - -

 

SafeBoot-WindowsTelephony

 

 

.

------- Supplementary Scan -------

.

LSP: c:\windows\system32\imon.dll

FF - ProfilePath - c:\documents and settings\Ivaylo\Application Data\Mozilla\Firefox\Profiles\s2jq9cda.default\

FF - prefs.js: browser.startup.homepage - free.haskovo.net

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-17 15:56:10

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(688)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

- - - - - - - > 'lsass.exe'(744)

c:\windows\system32\imon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\ESET\nod32krn.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Mozilla Firefox\firefox.exe

.

**************************************************************************

.

Completion time: 2009-02-17 15:57:08 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-17 13:57:05

 

Pre-Run: 15 548 014 592 bytes free

Post-Run: 15,517,364,224 bytes free

 

220

 

всяко съобщение за вирус от nod 32 завършва накрая с hosts

Link to comment
Сподели другаде

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гост
Отговори на тази тема

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   Не можете да качите директно снимка. Качете или добавете изображението от линк (URL)

Loading...
×
 Share
Иди на предишната тема
×
×
  • Създай ново...