Помощ при откриване и премахване на вируси, троянски коне и др., част 2

7 март 200917 г.

Имам антивирусна symantec. наскоро си преинсталирах уиндоуса и ми го върнаха с тази програма. преди около две седмици сканирах и имаше вируси, които останаха под карантина и пише, че няма да навредят на системата. но как да ги премахна. има trojan horse i trojan packed 25 а за статуса пише - infected ?

Щом са под карантина едва ли има нещо за което да се тревожиш :rolleyes:

7 март 200917 г.

Имам антивирусна symantec. наскоро си преинсталирах уиндоуса и ми го върнаха с тази програма. преди около две седмици сканирах и имаше вируси, които останаха под карантина и пише, че няма да навредят на системата. но как да ги премахна. има trojan horse i trojan packed 25 а за статуса пише - infected ?

В случай на съмнения:

http://www.kaldata.com/forums/index.php?showtopic=102469

8 март 200917 г.

Здравейте!Имам един доста сериозен проблем с този доктор уотсън. .Всеки път когато си инсталирам игра ми се появява грешката Windows explorer.... и след това Dr.Watson Postmodern Debugger.Четох по всички форуми за доктора как да го спра правя го и от Error Reporting и в старт меню - Run - пиша regedit-a трия каквото трябва но пак не става.Това става при такива игри дето се инсталират от Setup.exe-та.Моля ви помогнете доста е гадно така и като излезе грешката за доктора ми забива машината. Благодаря предварително

8 март 200917 г.

Здравей!

Пусни един лог файл от HiJackThis:

http://www.kaldata.com/forums/index.php?sh...0&start=150

8 март 200917 г.

ComboFix 09-03-06.02 - Vanko 2009-03-08 21:33:07.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.767.522 [GMT 2:00]

Running from: c:\documents and settings\Vanko\desktop\combofix.exe

Command switches used :: /killall

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Vanko\Application Data\.#

c:\documents and settings\Vanko\Application Data\.#\MBX@CBC@962338.###

c:\documents and settings\Vanko\Application Data\.#\MBX@CBC@9648C8.###

c:\documents and settings\Vanko\Application Data\.#\MBX@CBC@9649B8.###

c:\documents and settings\Vanko\Application Data\.#\MBX@CBC@964D08.###

c:\windows\system32\kbdbds.Dll

c:\windows\system32\KBDBPH.dLL

c:\windows\system32\kbdbphz.dLL

.

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))

.

2009-03-08 20:23 . 2009-03-08 20:23 <DIR> d-------- c:\program files\Trend Micro

2009-03-08 17:57 . 2009-03-08 19:13 <DIR> d-------- c:\program files\Free Offers from Freeze.com

2009-03-08 08:57 . 2009-03-08 08:57 <DIR> d-------- c:\program files\Eidos

2009-03-05 10:41 . 2009-03-05 10:41 <DIR> dr-h----- c:\documents and settings\Vanko\Application Data\SecuROM

2009-03-05 10:41 . 2009-03-05 10:41 107,888 --a------ c:\windows\system32\CmdLineExt.dll

2009-03-04 20:05 . 2009-03-04 20:05 <DIR> d-------- c:\program files\Eidos(2)

2009-03-02 10:07 . 2009-03-05 10:46 <DIR> d-------- c:\documents and settings\Vanko\Application Data\IObit

2009-02-28 11:47 . 2009-02-28 11:48 <DIR> d-------- c:\documents and settings\Vanko\Application Data\Grand Ages Rome

2009-02-28 11:46 . 2009-02-28 11:46 <DIR> d-------- c:\windows\Logs

2009-02-23 20:12 . 2009-02-23 20:12 <DIR> d-------- c:\program files\IObit

2009-02-21 16:30 . 2009-03-08 19:13 <DIR> d-------- c:\program files\SA Dictionary 2005 T2

2009-02-21 09:27 . 2009-03-08 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

2009-02-19 15:44 . 2009-02-19 15:47 <DIR> d-------- c:\program files\VirtualDJ

2009-02-15 22:34 . 2009-02-15 22:34 <DIR> d-------- c:\program files\GameSpy Arcade

2009-02-15 18:22 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll

2009-02-15 18:22 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll

2009-02-15 18:22 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll

2009-02-15 18:21 . 2009-02-15 18:21 <DIR> d-------- c:\windows\system32\AGEIA

2009-02-15 18:21 . 2009-02-15 18:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-15 18:21 . 2009-02-15 18:21 <DIR> d-------- c:\program files\AGEIA Technologies

2009-02-15 18:21 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll

2009-02-15 18:21 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll

2009-02-15 18:21 . 2006-09-28 16:05 237,848 --a------ c:\windows\system32\xactengine2_4.dll

2009-02-15 18:21 . 2006-07-28 09:30 236,824 --a------ c:\windows\system32\xactengine2_3.dll

2009-02-15 18:21 . 2006-07-28 09:30 62,744 --a------ c:\windows\system32\xinput1_2.dll

2009-02-15 18:21 . 2007-03-05 12:42 15,128 --a------ c:\windows\system32\x3daudio1_1.dll

2009-02-15 10:05 . 2009-02-15 10:23 <DIR> d-------- c:\windows\system32\CatRoot_bak

2009-02-13 22:05 . 2009-02-13 22:05 <DIR> d-------- c:\program files\Common Files\INCA Shared

2009-02-13 22:04 . 2003-07-21 05:17 5,174 --a------ c:\windows\system32\nppt9x.vxd

2009-02-13 22:04 . 2005-01-04 20:43 4,682 --a------ c:\windows\system32\npptNT2.sys

2009-02-13 09:10 . 2008-08-14 12:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-13 09:10 . 2008-08-14 11:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-13 09:10 . 2008-08-14 11:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-13 09:10 . 2008-08-14 11:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-13 09:07 . 2008-10-24 13:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-02-13 09:02 . 2009-02-24 21:27 <DIR> d--h----- c:\windows\$hf_mig$

2009-02-12 19:47 . 2009-02-12 19:47 <DIR> d-------- c:\documents and settings\Vanko\Application Data\Leadertech

2009-02-12 19:20 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll

2009-02-12 19:20 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll

2009-02-12 19:20 . 2007-05-16 16:45 3,497,832 --a------ c:\windows\system32\d3dx9_34.dll

2009-02-12 19:20 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll

2009-02-12 19:20 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll

2009-02-12 19:20 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\system32\d3dx9_31.dll

2009-02-12 19:20 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll

2009-02-12 19:19 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll

2009-02-12 18:21 . 2009-02-12 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bluetooth

2009-02-12 18:18 . 2009-02-12 18:18 <DIR> d-------- c:\program files\IVT Corporation

2009-02-12 18:17 . 2008-06-13 15:10 272,128 --a------ c:\windows\system32\drivers\bthport.sys

2009-02-12 18:17 . 2008-06-13 15:10 272,128 --a--c--- c:\windows\system32\dllcache\bthport.sys

2009-02-12 18:17 . 2004-08-03 23:10 18,944 --a------ c:\windows\system32\drivers\BTHUSB.SYS

2009-02-12 18:17 . 2004-08-03 23:10 18,944 --a--c--- c:\windows\system32\dllcache\bthusb.sys

2009-02-09 19:10 . 2009-02-09 19:13 <DIR> d-------- c:\program files\Flex Anticheat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 19:35 --------- d-----w c:\documents and settings\Vanko\Application Data\Skype

2009-03-08 19:33 --------- d-----w c:\program files\Eset

2009-03-08 19:21 --------- d-----w c:\documents and settings\Vanko\Application Data\uTorrent

2009-03-08 17:19 --------- d-----w c:\documents and settings\Vanko\Application Data\skypePM

2009-03-03 18:11 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 07:29 --------- d-----w c:\program files\Google

2009-02-07 08:34 --------- d-----w c:\program files\Datecs

2009-02-06 13:24 --------- d-----w c:\program files\Codec Pack - All In 1

2009-02-05 18:17 --------- d-----w c:\program files\Common Files\Skype

2009-02-05 18:17 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-02-05 18:17 --------- d-----r c:\program files\Skype

2009-02-04 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\Synetic

2009-02-03 14:35 --------- d-----w c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}

2009-02-02 15:33 --------- d-----w c:\program files\CyberLink

2009-02-02 15:32 505,392 ----a-w c:\windows\system32\msvcp71.dll

2009-02-02 14:10 737,280 ----a-w c:\windows\iun6002.exe

2009-02-02 14:09 --------- d-----w c:\documents and settings\Vanko\Application Data\Media Player Classic

2009-02-02 14:02 747,676 ----a-w c:\program files\ac3filter_1-11.zip

2009-02-02 14:02 --------- d-----w c:\program files\ac3filter_1-11

2009-02-02 13:58 --------- d-----w c:\documents and settings\Vanko\Application Data\BSplayer PRO

2009-02-02 13:56 --------- d-----w c:\program files\BSplayer.Pro.1.39.829

2009-02-02 13:49 512,096 ----a-w c:\windows\system32\drivers\amon.sys

2009-02-02 13:49 298,104 ----a-w c:\windows\system32\imon.dll

2009-02-02 13:49 15,424 ----a-w c:\windows\system32\drivers\nod32drv.sys

2009-02-02 13:48 --------- d-----w c:\program files\NOD32 2.70.32

2009-02-02 13:30 --------- d-----w c:\program files\Webteh

2009-02-02 13:22 16,304,771 ----a-w c:\program files\K-Lite Codec Pack 4.5.3 Full (kaldata.com).exe

2009-02-02 13:20 3,958,416 ----a-w c:\program files\ffdshow-rev2647_20090130.zip

2009-02-02 13:20 --------- d-----w c:\program files\ffdshow-rev2647_20090130

2009-02-02 13:15 642,540 ----a-w c:\program files\XviD-1.1.3-27042008.exe

2009-02-02 13:12 --------- d-----w c:\program files\uTorrent

2009-02-02 07:22 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles

2009-02-01 16:00 --------- d-----w c:\program files\Common Files\InstallShield

2009-02-01 13:27 --------- d-----w c:\program files\SkyCode

2009-02-01 13:25 --------- d-----w c:\program files\DAEMON Tools Lite

2009-02-01 13:23 717,296 ----a-w c:\windows\system32\drivers\sptd.sys

2009-02-01 13:23 --------- d-----w c:\documents and settings\Vanko\Application Data\DAEMON Tools

2009-02-01 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink

2009-01-31 16:04 --------- d-----w c:\program files\Realtek

2009-01-31 16:01 --------- d-----w c:\program files\DIFX

2009-01-31 15:59 --------- d-----w c:\documents and settings\Vanko\Application Data\Winamp

2009-01-31 15:58 --------- d-----w c:\program files\Winamp

2009-01-31 15:41 --------- d-----w c:\program files\microsoft frontpage

2009-01-15 06:19 801,312 ----a-w c:\windows\system32\nvcplui.exe

2009-01-15 06:19 453,152 ----a-w c:\windows\system32\nvudisp.exe

2009-01-07 09:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 68856]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-02-22 2272592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13529088]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 86016]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-02 949376]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]

"nwiz"="nwiz.exe" [2008-08-01 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-08-01 c:\windows\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-06-06 657168]

FlexType 2K.lnk - c:\program files\Datecs\FlexType 2K\FType2K.exe [2009-02-07 95232]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-02 15424]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]

S2 gupdate1c993f5fe99c732;Ус»уі° Google Update (gupdate1c993f5fe99c732);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 133104]

.

Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-21 09:27]

2009-03-08 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 09:28]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.bg/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - c:\progra~1\SkyCode\WEBTRA~1\wt2ie.dll

LSP: c:\windows\system32\imon.dll

FF - ProfilePath - c:\documents and settings\Vanko\Application Data\Mozilla\Firefox\Profiles\wp9epr2s.default\

FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-08 21:36:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(960)

c:\windows\system32\imon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Eset\nod32krn.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2009-03-08 21:37:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-08 19:37:07

Pre-Run: 6 530 293 760 bytes free

Post-Run: 6,658,162,688 bytes free

215 --- E O F --- 2009-02-13 09:22:54

8 март 200917 г.

Би ли архивирал папката Qoobox, която се намира в C:\ и да я прикачиш към:

http://www.4storing.com

след което да пуснеш линк тук?

Овен това, следвай тези инструкции, за да се сдобиеш с най-новата версия на ESET NOD32 Antivirus - версия 4:

http://www.eset.bg/forum/viewtopic.php?f=3...7ad5e08736779a3

След, като си готов, сканирай с нея.

8 март 200917 г.

Fixer сега какво да правя?Нова анти-вирусна ли да сложа эада не се повтори всичко това?

8 март 200917 г.

Престанете с този FlexType !

Сега деинсталирай проклетията и си качи нормална такава, защото и без това Combofix я е позабърсал:

c:\windows\system32\kbdbds.Dll
c:\windows\system32\KBDBPH.dLL
c:\windows\system32\kbdbphz.dLL

http://www.kaldata.com/forums/index.php?showtopic=29819

Поздравления на Fixer за добре свършената работа !

8 март 200917 г.

Наистина благодаря много на Fixer :]

8 март 200917 г.

И аз Ви благодаря, но наистина ще се зарадвам, ако следваш инструкциите ни. Ще помогнеш и на теб, и на нас и на няколко милиарда човека.

9 март 200917 г.

Malwarebytes' Anti-Malware 1.34

Версия на базата от данни: 1828

Windows 5.1.2600 Service Pack 2

09.3.2009 г. 19:31:31

mbam-log-2009-03-09 (19-31-27).txt

Тип сканиране: Пълно сканиране (C:\|D:\|)

Сканирани обекти: 113989

Изминало време: 29 minute(s), 8 second(s)

Заразени процеси в паметта: 0

Заразени модули в паметта: 1

Заразени ключове в регистратурата: 29

Заразени стойности в регистратурата: 8

Заразени информационни обекти в регистратурата: 1

Заразени папки: 1

Заразени файлове: 18

Заразени процеси в паметта:

(Не бяха открити заплахи)

Заразени модули в паметта:

C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> No action taken.

Заразени ключове в регистратурата:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RegistryHelper.exe (Rogue.RegistryHelper) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> No action taken.

Заразени стойности в регистратурата:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sms by jeko ianev (Worm.P2P) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dll (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> No action taken.

Заразени информационни обекти в регистратурата:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> No action taken.

Заразени папки:

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> No action taken.

Заразени файлове:

C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> No action taken.

C:\WINDOWS\ld02.exe (Backdoor.Bot) -> No action taken.

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\2WVR68VK\InstallAVg_771066010090[2].exe (Rogue.Installer) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP216\A0024027.DLL (Adware.FunWeb) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025582.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025587.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025589.SCR (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025591.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025594.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025597.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025598.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025599.EXE (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025605.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{91DC715D-08CB-4577-BBCE-EF63B22CF3D8}\RP230\A0025606.EXE (Adware.MyWebSearch) -> No action taken.

C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> No action taken.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> No action taken.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> No action taken.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> No action taken.

ComboFix 09-03-06.02 - User 2009-03-09 20:01:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2039.1327 [GMT 2:00]

Running from: c:\downloads\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Application Data\BITS

c:\documents and settings\User\Application Data\BITS\BITS.ini

c:\documents and settings\User\Application Data\BITS\Torrent\20090303181854.torrent

c:\documents and settings\User\Application Data\BITS\Torrent\20090303181854.torrent.~tmp

c:\documents and settings\User\Application Data\BITS\Torrent\20090303181854.torrent.bits

c:\documents and settings\User\Application Data\BITS\Torrent\20090303181854.torrent.filelist

c:\documents and settings\User\Application Data\BITS\Torrent\20090303181854.torrent.seeds

c:\documents and settings\User\Application Data\BITS\UPnP.ini

c:\documents and settings\User\Local Settings\Temporary Internet Files\TestBrowser.html

c:\program files\Internet Explorer\msimg32.dll

c:\windows\IE4 Error Log.txt

c:\windows\system32\ammppg.dll

c:\windows\system32\cth.dll

c:\windows\system32\f3PSSavr.scr

c:\windows\system32\sth.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))

.

2009-03-09 19:35 . 2009-03-09 19:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-03-09 18:56 . 2009-03-09 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-09 18:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-09 18:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-09 18:09 . 2009-03-09 18:09 <DIR> d-------- c:\program files\Trend Micro

2009-03-09 17:53 . 2009-03-09 17:53 <DIR> d-------- C:\VundoFix Backups

2009-03-09 16:09 . 2009-03-09 16:09 13,824 --a------ c:\windows\system32\dll32.exe

2009-03-09 16:09 . 2009-03-09 16:09 1 ---h----- c:\windows\t55ft3518f44.dat

2009-03-09 16:09 . 2009-03-09 16:09 1 --a------ c:\windows\9gdfgjf23

2009-03-09 16:09 . 2009-03-09 16:09 0 --a------ c:\windows\system32\nfr.gpref

2009-03-09 16:09 . 2009-03-09 16:09 0 --a------ c:\windows\system32\nfr.assembly

2009-03-09 16:08 . 2009-03-09 16:08 12,288 ---h----- c:\windows\ld02.exe

2009-03-08 14:59 . 2009-03-08 15:21 <DIR> d-------- c:\program files\CamStudio

2009-03-06 23:12 . 2009-03-06 23:18 664 --a------ c:\windows\system32\d3d9caps.dat

2009-03-06 21:51 . 2009-03-06 21:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-06 21:50 . 2009-03-09 19:35 <DIR> d-------- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com

2009-03-06 21:38 . 2009-03-06 21:38 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes

2009-03-06 21:37 . 2009-03-06 21:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-03 21:53 . 2009-03-09 14:23 52,588 --ah----- c:\windows\system32\mlfcache.dat

2009-03-03 21:52 . 2009-03-03 21:52 <DIR> d-------- c:\program files\Safari

2009-03-03 21:52 . 2009-03-03 21:52 <DIR> d-------- c:\program files\Bonjour

2009-03-03 21:26 . 2009-03-03 21:26 <DIR> d-------- c:\documents and settings\User\Application Data\CheckPoint

2009-03-03 21:26 . 2009-03-03 21:26 144 --a------ c:\windows\system32\lkfl.dat

2009-03-03 21:26 . 2009-03-03 21:27 96 --a------ c:\windows\system32\pdfl.dat

2009-03-03 21:26 . 2009-03-03 21:26 80 --a------ c:\windows\system32\ibfl.dat

2009-03-03 18:10 . 2009-03-03 18:10 <DIR> d-------- C:\profiles

2009-03-03 17:44 . 2009-03-03 17:44 <DIR> d-------- c:\documents and settings\User\Application Data\Netscape

2009-02-24 15:36 . 2009-02-24 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\ICQ

2009-02-20 20:54 . 1997-07-21 16:30 1,045,776 --a------ c:\windows\system32\msjet35.dll

2009-02-20 20:54 . 1997-06-23 09:06 407,312 --a------ c:\windows\system32\msrepl35.dll

2009-02-20 20:54 . 1997-06-23 09:06 330,000 --a------ c:\windows\system32\msexch35.dll

2009-02-20 20:54 . 1997-06-23 09:06 287,504 --a------ c:\windows\system32\msxbse35.dll

2009-02-20 20:54 . 1997-06-23 09:06 252,176 --a------ c:\windows\system32\msrd2x35.dll

2009-02-20 20:54 . 1997-06-23 09:06 250,128 --a------ c:\windows\system32\mspdox35.dll

2009-02-20 20:54 . 1997-07-01 10:45 250,128 --a------ c:\windows\system32\msexcl35.dll

2009-02-20 20:54 . 1997-06-23 09:06 166,160 --a------ c:\windows\system32\msltus35.dll

2009-02-20 20:54 . 1997-06-23 09:06 165,648 --a------ c:\windows\system32\mstext35.dll

2009-02-20 20:54 . 1997-06-23 09:06 123,664 --a------ c:\windows\system32\msjint35.dll

2009-02-20 20:54 . 1997-06-23 09:06 24,848 --a------ c:\windows\system32\msjter35.dll

2009-02-19 15:41 . 2009-02-19 15:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems

2009-02-19 00:21 . 2009-02-19 00:21 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared

2009-02-18 17:47 . 2009-02-18 17:47 757,760 --------- c:\windows\UNIDRV.exe

2009-02-18 17:47 . 2009-02-18 17:47 106,109 --------- c:\windows\UNIDRV.cfg

2009-02-18 17:47 . 2009-02-18 17:47 80,864 --------- c:\windows\system32\drivers\imagedrv.sys

2009-02-18 17:47 . 2009-02-18 17:47 53,248 --------- c:\windows\system32\ImageDrive.cpl

2009-02-18 17:44 . 2002-09-25 13:15 901,120 --------- c:\windows\Unnero.exe

2009-02-18 17:44 . 2002-09-11 18:01 155,648 --------- c:\windows\system32\NeroCheck.exe

2009-02-18 17:44 . 2002-09-11 18:00 106,496 --------- c:\windows\system32\TwnLib20.dll

2009-02-18 17:44 . 2002-09-11 18:07 68,516 --------- c:\windows\Unnero.cfg

2009-02-18 17:44 . 2002-09-11 18:01 49,152 --------- c:\windows\system32\MultiSZ.dll

2009-02-14 17:05 . 2009-02-14 17:05 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-02-14 13:55 . 2009-02-14 13:56 <DIR> d--h----- c:\program files\Undiscovered World - The Incan Sun

2009-02-12 15:33 . 2009-02-12 15:34 3,046,874 --a------ C:\madonna-miles_away.mp3

2009-02-10 12:15 . 2009-02-10 12:15 <DIR> d-------- c:\documents and settings\User\Application Data\SpinTop

2009-02-10 12:15 . 2009-02-10 12:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse

2009-02-09 20:51 . 2009-03-07 00:32 <DIR> dr------- c:\program files\AnMing

2009-02-09 17:10 . 2009-02-09 17:17 <DIR> d-------- c:\documents and settings\User\Application Data\CasinoOnNet

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-09 17:59 --------- d-----w c:\program files\BitComet

2009-03-09 17:56 --------- d-----w c:\program files\Symantec AntiVirus

2009-03-09 17:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-03-09 14:47 --------- d-----w c:\documents and settings\User\Application Data\DMCache

2009-03-09 13:52 --------- d-----w c:\documents and settings\User\Application Data\Skype

2009-03-08 23:28 --------- d-----w c:\documents and settings\User\Application Data\skypePM

2009-03-06 16:48 --------- d-----w c:\program files\Google

2009-03-06 16:47 --------- d-----w c:\program files\iTunes

2009-03-06 16:47 --------- d-----w c:\program files\Common Files\Apple

2009-03-06 16:45 --------- d-----w c:\program files\QuickTime

2009-03-06 16:45 --------- d-----w c:\program files\Common Files\Real

2009-03-06 16:44 --------- d-----w c:\program files\Coding Workshop Polyphonic Wizard

2009-03-03 19:52 --------- d-----w c:\documents and settings\User\Application Data\Apple Computer

2009-03-03 13:46 --------- d-----w c:\program files\Favorite-Games

2009-02-27 15:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-20 10:13 --------- d-----w c:\program files\Common Files\Adobe

2009-02-18 15:47 --------- d-----w c:\program files\Ahead

2009-02-16 21:31 --------- d-----w c:\program files\Winamp

2009-02-12 13:38 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-08 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\AutoPowerOn

2009-02-08 21:44 --------- d-----w c:\documents and settings\User\Application Data\Promixis

2009-02-05 18:39 77,824 ----a-w c:\windows\SkycarUninstall.exe

2009-02-05 11:46 232,075 ----a-w c:\windows\Burn4Free_Toolbar_Uninstaller_6656.exe

2009-02-01 19:08 --------- d-----w c:\documents and settings\User\Application Data\######

2009-01-31 17:46 --------- d-----w c:\program files\Mp3_Siem

2009-01-31 17:25 --------- d-----w c:\documents and settings\User\Application Data\PPStream

2009-01-29 20:49 --------- d-----w c:\documents and settings\User\Application Data\Outerspace Software

2009-01-27 23:10 --------- d-----w c:\documents and settings\User\Application Data\Ashampoo

2009-01-27 23:08 --------- d-----w c:\program files\Ashampoo

2009-01-27 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\ashampoo

2009-01-23 20:11 --------- d-----w c:\documents and settings\User\Application Data\Mobile Master

2009-01-23 20:07 --------- d-----w c:\program files\Common Files\Jumping Bytes

2009-01-23 17:19 --------- d-----w c:\program files\Mp3 Knife

2009-01-20 14:20 --------- d-----w c:\documents and settings\User\Application Data\Audacity

2009-01-19 21:52 --------- d-----w c:\program files\Common Files\Teleca Shared

2009-01-19 21:43 --------- d-----w c:\documents and settings\User\Application Data\Teleca

2009-01-19 21:41 --------- d-----w c:\documents and settings\User\Application Data\Sony Ericsson

2009-01-19 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-01-19 16:57 --------- d-----w c:\program files\MpcStar

2009-01-19 16:42 --------- d-----w c:\documents and settings\User\Application Data\MobileAction

2008-12-12 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe

2008-12-12 09:11 61,440 ----a-w c:\windows\system32\dnssd.dll

2008-11-26 08:56 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat

2008-11-26 08:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

2008-07-21 07:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat

2008-11-26 08:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dll"="dll32" [X]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-05-25 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2005-06-14 15360]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-06 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-06 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-06 138008]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-09-11 155648]

"sysldtray"="c:\windows\ld02.exe" [2009-03-09 12288]

"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 c:\windows\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2007-11-06 c:\windows\SkyTel.exe]

"NDSTray.exe"="NDSTray.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2005-06-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-07-21 151552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.3iv2"= 3ivxVfWCodec.dll

"VIDC.HFYU"= huffyuv.dll

"VIDC.VP31"= vp31vfw.dll

"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--------- 2002-09-11 18:01 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"17822:TCP"= 17822:TCP:BitComet 17822 TCP

"17822:UDP"= 17822:UDP:BitComet 17822 UDP

"80:TCP"= 80:TCP:dll32

"7171:TCP"= 7171:TCP:dll32

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-07-21 264576]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2009-01-21 19034]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

*NewlyCreated* - SASENUM

*NewlyCreated* - SASKUTIL

*Deregistered* - EraserUtilDrv10910

*Deregistered* - MBAMSwissArmy

.

Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{D187A56B-A33F-4CBE-9D77-459FC0BAE012} - c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

Toolbar-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

HKCU-Run-Registry Helper - c:\program files\Registry Helper\LaunchRegistryHelper.Exe

HKCU-Run-Disk Cleaner - c:\program files\Disk Cleaner\LaunchDiskCleaner.Exe

HKCU-Run-SMS by Jeko Ianev - c:\program files\sms\sms.exe

HKCU-Run-VoipDiscount - c:\program files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe

HKCU-Run-ICQ - c:\program files\ICQ6.5\ICQ.exe

HKLM-Run-SnowFall Living Desktop - c:\program files\Lumesoft\Living Desktops\SnowFall\SnowFall.exe

HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.bg/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm613YYBG

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: &С&валяне &с BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &С&валяне на всички с BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: &С&валяне на всичкото видео с BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

IE: {{736D982F-8E2C-4afc-B202-D8195B48AB68} - c:\program files\Igoodsoft\Super Proxy Helper\ProxyHelper.exe

IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - c:\progra~1\SkyCode\WEBTRA~1\wt2ie.dll

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\euwnu368.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1682929&SearchSource=3&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://google.bg

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 7171

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-09 20:02:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\мк*•‘|\comctl32.dll]

"MUIVer"=hex(b):84,08,54,0b,00,00,06,00

"000600000b540ba6"=dword:00000000

[HKEY_USERS\S-1-5-21-329068152-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\4Ы*•‘|\Comctl32.dll]

"MUIVer"=hex(b):84,08,54,0b,00,00,06,00

"000600000b540ba6"=dword:00000000

[HKEY_USERS\S-1-5-21-329068152-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\$р*•‘|\comctl32.dll]

"MUIVer"=hex(b):84,08,54,0b,00,00,06,00

"000600000b540ba6"=dword:00000000

[HKEY_USERS\S-1-5-21-329068152-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1351A24C-0BD8-1604-F60D-C2CDAFE4B49D}*]

"haohocplgfjcfpdg"=hex:69,61,66,63,66,70,66,69,6c,62,68,61,66,6a,6e,68,63,6c,

00,00

"iamhidmgklmpblkhaj"=hex:69,61,66,63,66,70,66,69,6c,62,68,61,66,6a,6e,68,63,6c,

00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{14906963-40c9-4834-a7f2-22adf46c3e80}]

@Denied: (Full) (Everyone)

"Model"=dword:0000002c

"Therad"=dword:00000022

"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,

38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):88,ac,5f,22,c5,7c,52,44,eb,14,0f,2a,bf,c9,e7,8f,7b,56,8d,86,a7,

55,4f,be,9a,3b,6f,d5,d9,3f,cd,2f,8b,5c,57,cb,31,bb,77,20,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

Completion time: 2009-03-09 20:03:29

ComboFix-quarantined-files.txt 2009-03-09 18:03:02

Pre-Run: 13 403 422 720 bytes free

Post-Run: 16,749,965,312 bytes free

305 --- E O F --- 2009-01-25 10:58:15

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:27:37, on 09.3.2009 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20935)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\dll32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Datecs\Flex2K.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bg/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sysldtray] C:\windows\ld02.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [dll] dll32

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: Adrenaliner.lnk = C:\Program Files\Adrenaliner\adrenaliner.exe

O4 - Startup: AutorunsDisabled

O4 - Startup: Файлове.lnk = C:\Program Files\DC++\DCPlusPlus.exe

O4 - Global Startup: FlexType 2K.lnk = ?

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm613YYBG

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &С&валяне &с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &С&валяне на всички с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &С&валяне на всичкото видео с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Преведи - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll (file missing)

O9 - Extra button: Super Proxy Helper - {736D982F-8E2C-4afc-B202-D8195B48AB68} - C:\Program Files\Igoodsoft\Super Proxy Helper\ProxyHelper.exe

O9 - Extra 'Tools' menuitem: Super Proxy Helper - {736D982F-8E2C-4afc-B202-D8195B48AB68} - C:\Program Files\Igoodsoft\Super Proxy Helper\ProxyHelper.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Undiscovered%20World%20-%20The%20Incan%20Sun/Images/stg_drm.ocx

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Little%20Shop%20-%20Memories/Images/armhelper.ocx

O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/Game...ronGameHost.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 10007 bytes

9 март 200917 г.

Здравей Милене!

Отворете Notepad и чрез copy/paste поставете следното:

Killall::


File::

c:\windows\system32\dll32.exe

c:\windows\t55ft3518f44.dat

c:\windows\ld01.exe

c:\windows\ld02.exe 

c:\353454543.bat 

C:\documents and settings\User\Local Settings\Temp\tt_1236479813.exe

C:\documents and settings\User\Local Settings\Temp\rtyr_1236479815.exe  

c:\dll32.bat 

c:\windows\pp2.exe

c:\355674543.bat

c:\windows\system32\nfr.gpref

c:\windows\system32\nfr.assembly

c:\windows\system32\d3d9caps.dat

c:\windows\system32\mlfcache.dat

c:\windows\system32\lkfl.dat

c:\windows\system32\pdfl.dat

c:\windows\system32\ibfl.dat

c:\windows\UNIDRV.exe

c:\windows\UNIDRV.cfg

c:\windows\Burn4Free_Toolbar_Uninstaller_6656.exe


Folder::

c:\windows\9gdfgjf23


Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:TCP"=-

"7171:TCP"=-

Запазете файла с името CFScript.txt и го поставете върху ComboFix.

След, като програмата приключи ще Ви изведе лог файла. Чрез Copy/Paste поставете информацията тук.

10 март 200917 г.

На десктопа нямам combofix икона.Къде да го поставя?

10 март 200917 г.

milen1112, изтегли ComboFix от:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Сложи го на десктопа и направи това, което ти написах по-горе.

sotkata, има си специално създадена тема по този въпрос, тук не му е мястото на този лог.

10 март 200917 г.

Hostname download.bleepingcomputer.com ISP Unknown

Country United States Country Code US (USA)

City Dallas Region Texas

IP Address 208.43.120.24

https://www.virustotal.com/ru/analisis/8ebb...18f15a8a4d2c853 Някои грешат, но кои са те ? Защо се "крият" тези американци ? Fixer, нищо лично - препоръчителен ли е изобщо този вариант ? Ако някой се пробва да ми помага така ми става странно весело - има толкова много други възможности...По-ефективни и по-бързи.Dr WEB много рядко грешат! Поздрави

10 март 200917 г.

Hostname download.bleepingcomputer.com ISP Unknown
Country United States Country Code US (USA)

City Dallas Region Texas

IP Address 208.43.120.24

https://www.virustotal.com/ru/analisis/8ebb...18f15a8a4d2c853 Някои грешат, но кои са те ? Защо се "крият" тези американци ? Fixer, нищо лично - препоръчителен ли е изобщо този вариант ? Ако някой се пробва да ми помага така ми става странно весело - има толкова много други възможности...По-ефективни и по-бързи.Dr WEB много рядко грешат! Поздрави

Не е мястото на поста ти в тази тема и колко пъти ще дискутираме,че е FP на точно тези програми, относно ComboFix.exe , няма никакви заплахи. Не само на този специфичен инструмент се отчитат подобни FP показатели или често определяни като "потенциално опасни обекти или съмнителни" .За да пишеш това,означава,че не си запознат с ComboFix и начина му на работа.

Редактирано 10 март 200917 г. от mihnev_sz (преглед на промените)

10 март 200917 г.

Да, прав си. Нямам никакво желание да го разучавам и прилагам - защо да отстранявам инфекции създавайки нова уязвимост !? После и с нейните "развития" ли да се занимавам!? Преценките са си винаги лични - последствията също -ако има такива. Лека вечер.

10 март 200917 г.

ComboFix 09-03-10.01 - User 2009-03-11 0:49:12.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.2039.1444 [GMT 2:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\353454543.bat

c:\355674543.bat

c:\dll32.bat

c:\documents and settings\User\Local Settings\Temp\rtyr_1236479815.exe

c:\documents and settings\User\Local Settings\Temp\tt_1236479813.exe

c:\windows\Burn4Free_Toolbar_Uninstaller_6656.exe

c:\windows\ld01.exe

c:\windows\ld02.exe

c:\windows\pp2.exe

c:\windows\system32\d3d9caps.dat

c:\windows\system32\dll32.exe

c:\windows\system32\ibfl.dat

c:\windows\system32\lkfl.dat

c:\windows\system32\mlfcache.dat

c:\windows\system32\nfr.assembly

c:\windows\system32\nfr.gpref

c:\windows\system32\pdfl.dat

c:\windows\t55ft3518f44.dat

c:\windows\UNIDRV.cfg

c:\windows\UNIDRV.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\9gdfgjf23\

c:\windows\system32\nfr.assembly

c:\windows\system32\nfr.gpref

.

---- Previous Run -------

.

c:\windows\9gdfgjf23\

c:\windows\Burn4Free_Toolbar_Uninstaller_6656.exe

c:\windows\ld02.exe

c:\windows\system32\d3d9caps.dat

c:\windows\system32\dll32.exe

c:\windows\system32\ibfl.dat

c:\windows\system32\lkfl.dat

c:\windows\system32\mlfcache.dat

c:\windows\system32\nfr.assembly

c:\windows\system32\nfr.gpref

c:\windows\system32\pdfl.dat

c:\windows\t55ft3518f44.dat

c:\windows\UNIDRV.cfg

c:\windows\UNIDRV.exe

.

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))

.

2009-03-10 11:21 . 2009-03-10 11:21 12,800 --a------ c:\windows\system32\dll32.dll