Благодря на всички!

Още утре ще опитам.

Лека нощ

Подвеждащ коментар

mihnev_sz

Да, след това ще го размножим да не е сам и накрая ще си организират семейно парти.......... Вземи да слезеш на земята и недей да залъгваш хората. Gmer какво е? Програма за изчисление на торти? Rootkit Revealer за криене на rootkit?

Здравейте!

Да ви дам резултат какво направих с моя компютър.

Тъй като не смеех да трия каквото и да е изтеглих програмата Malwarebytes' Anti-Malware.

Чрез нея сканирах компютъра 2 пъти. След първото сканиране откри може би около десет заразени обекти и след изтриването им се появи следното:

Malwarebytes' Anti-Malware 1.35

Версия на базата от данни: 1927

Windows 5.1.2600 Service Pack 2

01.4.2009 г. 10:28:46

mbam-log-2009-04-01 (10-28-46).txt

Тип сканиране: Пълно сканиране (C:\|)

Сканирани обекти: 124059

Изминало време: 1 hour(s), 22 minute(s), 23 second(s)

Заразени процеси в паметта: 0

Заразени модули в паметта: 0

Заразени ключове в регистратурата: 7

Заразени стойности в регистратурата: 0

Заразени информационни обекти в регистратурата: 0

Заразени папки: 0

Заразени файлове: 3

Заразени процеси в паметта:

(Не бяха открити заплахи)

Заразени модули в паметта:

(Не бяха открити заплахи)

Заразени ключове в регистратурата:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xttb00001.xttb00001toolbar (Adware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSNETDED (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSNETDED (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.

Заразени стойности в регистратурата:

(Не бяха открити заплахи)

Заразени информационни обекти в регистратурата:

(Не бяха открити заплахи)

Заразени папки:

(Не бяха открити заплахи)

Заразени файлове:

C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\sysdrv32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Program Files\ICQToolbar\toolbaru.dll (Adware.BHO) -> Delete on reboot.

Направих и второ сканиране. Това откри 2 обекта и ми изпрати като отговор следното:

Версия на базата от данни: 1927

Windows 5.1.2600 Service Pack 2

01.4.2009 г. 12:31:05

mbam-log-2009-04-01 (12-31-05).txt

Тип сканиране: Пълно сканиране (A:\|C:\|D:\|E:\|)

Сканирани обекти: 124596

Изминало време: 1 hour(s), 49 minute(s), 58 second(s)

Заразени процеси в паметта: 0

Заразени модули в паметта: 0

Заразени ключове в регистратурата: 1

Заразени стойности в регистратурата: 0

Заразени информационни обекти в регистратурата: 0

Заразени папки: 0

Заразени файлове: 1

Заразени процеси в паметта:

(Не бяха открити заплахи)

Заразени модули в паметта:

(Не бяха открити заплахи)

Заразени ключове в регистратурата:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Заразени стойности в регистратурата:

(Не бяха открити заплахи)

Заразени информационни обекти в регистратурата:

(Не бяха открити заплахи)

Заразени папки:

(Не бяха открити заплахи)

Заразени файлове:

C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

Сега се чудя какво да правя. Имало ли е успех изтриването, да сканирам ли пак?

Редактирано 1 април 200917 г. от mima_ruse_71 (преглед на промените)

За сега, недей. Изпълни инструкциите за лог файл от HiJackThis и го публикувай в специалната за тази цел тема.

SPAM

mihnev_sz

kalda7a-sux, браво значи, аз трябва да работя в ESET. Компютърът на mima_ruse_71 е вече чист!

Няма връзка с темата

mihnev_sz

Става въпрос за следния вирус:

"Казва се CONFICKER и е заплаха от вида на т.нар. червеи, която се възползва от уязвимост в Microsoft Windows, за да се разпространява. Новите версии се размножават също чрез USB и MP3 плейъри.

Conficker e нов вид червей, който вече е засегнал хиляди компютри по целия свят. PandaLab, лабораторията на Panda Security, е установила общо три вариaнта на този вид зловреден код (Conficker A, B и С). Първата известна проява на тази заплаха е била в края на месец ноември, а в периода след коледните и новогодишни празници разпространението му се е разрастнало драматично.

Conficker се разпространява чрез уязвимост MS08-067 в Microsoft Windows server услугата, използвайки специално изработени RPC calls към други машини. RPC е съкращение от Remote Procedure Call – протокол, който в този случай позволява на създателите на червея да контролират отдалечено заразената машина.

Степента на заплахата расте, тъй като този червей непрекъснато се актуализира, изтегляки новите си версии върху заразената машина чрез различни, сменящи се IP адреси, които трудно се блокират. В същото време, някои варианти са предназначени за изтегляне на друг зловреден софтуер. Това подсказва, че авторите на червея се готвят да извършат мащабна атака в близко бъдеще с помощта на заразените машини.

Новият вид заплаха е много сходна с тези, наблюдавани преди години, като „Melissa” и „I love you”. Подобно на тях, опита на Conficker да зарази максимален брой компютри е възможен. Разликата е че докато тези червеи се разпространяваха чрез флопи диск, то този използва USB устройства.

И отново ще повторя,не забравяйте да си включвате FIREWALL на Windows, защото за сега само той ни спасява от ЧЕРВЕЯ!!!" (Изкопирано от virusinfo-bg.org)

Търсих тука мнения на специалистите за този вирус и запознат ли някой с него?

Надявам се, че не досаждам с аджамийския си въпрос...

Става въпрос за следния вирус:

"Казва се CONFICKER и е заплаха от вида на т.нар. червеи, която се възползва от уязвимост в Microsoft Windows, за да се разпространява. Новите версии се размножават също чрез USB и MP3 плейъри.

Conficker e нов вид червей, който вече е засегнал хиляди компютри по целия свят. PandaLab, лабораторията на Panda Security, е установила общо три вариaнта на този вид зловреден код (Conficker A, B и С). Първата известна проява на тази заплаха е била в края на месец ноември, а в периода след коледните и новогодишни празници разпространението му се е разрастнало драматично.

Conficker се разпространява чрез уязвимост MS08-067 в Microsoft Windows server услугата, използвайки специално изработени RPC calls към други машини. RPC е съкращение от Remote Procedure Call – протокол, който в този случай позволява на създателите на червея да контролират отдалечено заразената машина.

Степента на заплахата расте, тъй като този червей непрекъснато се актуализира, изтегляки новите си версии върху заразената машина чрез различни, сменящи се IP адреси, които трудно се блокират. В същото време, някои варианти са предназначени за изтегляне на друг зловреден софтуер. Това подсказва, че авторите на червея се готвят да извършат мащабна атака в близко бъдеще с помощта на заразените машини.

Новият вид заплаха е много сходна с тези, наблюдавани преди години, като „Melissa” и „I love you”. Подобно на тях, опита на Conficker да зарази максимален брой компютри е възможен. Разликата е че докато тези червеи се разпространяваха чрез флопи диск, то този използва USB устройства.

И отново ще повторя,не забравяйте да си включвате FIREWALL на Windows, защото за сега само той ни спасява от ЧЕРВЕЯ!!!" (Изкопирано от virusinfo-bg.org)

Търсих тука мнения на специалистите за този вирус и запознат ли някой с него?

Надявам се, че не досаждам с аджамийския си въпрос...

http://www.kaldata.com/forums/index.php?sh...t&p=1338919

http://www.kaspersky.ru/support/wks6mp3/error?qid=208636215

http://andybond.freeforums.org/net-worm-win32-kido-t11.html

Може на някой да влезе в работа.

Добавям тази колекция:

http://4storing.com/vbd62/2240147ed595cbfe...9444b83333.html

Препоръки:

*Изтегляне на последните обновления за Windows

*Изключване на услугата server от (start => run => services.msc)

*Спиране на Autorun функията

Информация от днес:

Тази сутрин Аваст се включи сам и сканира обстойно, дисплея на монитора стана изцяло син и там изписваше обектите, които сканира в момента. После се рестартира и цял ден работи без проблеми. /да чукам на дърво /

С колежката ми обаче не е точно така, "заби" тотално. Опитва се да го оправя, не знам до къде е стигнала. А моят започна да "отваря" по бавно.

Това ме наведе на мисълта да пробвам пак как е положението.

Ето и резултатите:

Прикаченият файл е с резултатите от Malwarebytes' Anti-Malware.

А това е от SUPERAntiSpyware Free Edition:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 04/02/2009 at 03:54 PM

Application Version : 4.26.1000

Core Rules Database Version : 3822

Trace Rules Database Version: 1778

Scan type : Quick Scan

Total Scan Time : 00:16:23

Memory items scanned : 542

Memory threats detected : 0

Registry items scanned : 409

Registry threats detected : 0

File items scanned : 6161

File threats detected : 14

Adware.Tracking Cookie

C:\Documents and Settings\USER\Cookies\user@statcounter[1].txt

C:\Documents and Settings\USER\Cookies\[email protected][1].txt

C:\Documents and Settings\USER\Cookies\user@imrworldwide[2].txt

C:\Documents and Settings\USER\Cookies\[email protected][1].txt

C:\Documents and Settings\USER\Cookies\[email protected][1].txt

C:\Documents and Settings\USER\Cookies\[email protected][2].txt

C:\Documents and Settings\USER\Cookies\user@media6degrees[1].txt

C:\Documents and Settings\USER\Cookies\[email protected][2].txt

C:\Documents and Settings\USER\Cookies\user@clicktorrent[1].txt

C:\Documents and Settings\USER\Cookies\user@doubleclick[1].txt

C:\Documents and Settings\USER\Cookies\user@mediaplex[2].txt

C:\Documents and Settings\USER\Cookies\[email protected][2].txt

C:\Documents and Settings\USER\Cookies\[email protected][2].txt

C:\Documents and Settings\USER\Cookies\[email protected][3].txt

Редактирано 2 април 200917 г. от mima_ruse_71 (преглед на промените)

Здравейте, имам прблем с компютъра. Сложих флашката и антивирусната NOD32 се разпищя, опитах се да го изтрия не става, форматирах флашката, изтривах под сейв мод, пак не ства. Сещам се че проблема е от компа не от флашката,защото катоя сложа на друг показва че е празна. После включих чиста флашка пак на компютъра и излезна съшото съобщение от Нода. Сканирах с Hidjackthis прикачвам лога, благодаря предварително

hijackthis.txt

mima_ruse_71, изчакай включването на B-Boy[styLe], той ще ти съдейства.

milavanila, отворете HijackThis, изберете Do a system scan only и сложете отметки на следните редове:

O4 - HKLM\..\Run: [WSVCHO] C:\WINDOWS\system\svhost.exe

O4 - HKLM\..\Run: [WSSVC] C:\WINDOWS\system\smsc.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O23 - Service: Windows Updater (Windows Update) - Unknown owner - C:\WINDOWS\itunes.exe (file missing)

Накрая затвори браузъра и избери Fix Checked.

След това:

1. Изтеглете ComboFix

2. Запазете го на десктопа

3. Влезте в Start -> Run... и въведете следната команда последвана от OK:

"%userprofile%\desktop\combofix.exe" /killall

4. След, като програмата приключи ще Ви се отвори Notepad, копирайте съдържанието му и го поставете в следващия си пост тук.

@mima_ruse_71

Изтеглете програмата RSIT и я стартирайте.

Изберете Continue на диалоговия прозорец и след приключването на проверката, публикувайте двата лог файла, който тя ще създаде.

(ps: или просто ги отворете и чрез copy/paste публикувайте резултатите в следващия си пост).

Аз излизам за малко и ще ги анализирам веднага щом се прибера !

@mima_ruse_71

Изтеглете програмата RSIT и я стартирайте.

Изберете Continue на диалоговия прозорец и след приключването на проверката, публикувайте двата лог файла, който тя ще създаде.

(ps: или просто ги отворете и чрез copy/paste публикувайте резултатите в следващия си пост).

Аз излизам за малко и ще ги анализирам веднага щом се прибера !

Ето това излезе като резултат, но май е само един лог файл:

info.txt logfile of random's system information tool 1.06 2009-04-02 17:29:48

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}

32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{F0F4DAC1-60DC-4D01-8BD9-DB8DA05A8A0F}

7-Zip 4.31-->"C:\Program Files\7-Zip\Uninstall.exe"

Ad-Aware SE Personal-->"C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE"

Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Attribute Changer 5.23-->C:\Program Files\Attribute Changer\uninstall.exe

avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup

bxNewFolder 1.0-->C:\Program Files\bxNewFolder\uninstall.exe

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}

CopyURL 2.3.1-->C:\Program Files\CopyURL\Uninstall.exe C:\PROGRA~1\CopyURL\Install.log

Cyrilla Correct-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EA889729-495C-4B75-AE3D-AF84BB5FC839} /l1026

DAEMON Tools - awxDTools-->MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}

DAMN NFO Viewer-->MsiExec.exe /X{715CE48D-7056-4D0A-AEDD-B795CC9DB1CC}

Eraser 5.7-->MsiExec.exe /I{03F5D5BA-55C6-4BA1-A5EF-FE26040CC8DB}

Fast Typing 3.3-->"C:\Program Files\AB-Tools.com\Fast Typing\unins000.exe"

Foxit (Uninstall Only)-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection RemoveMe 132 C:\WINDOWS\inf\Foxit.inf

Free Download Manager 2.1-->"C:\Program Files\Free Download Manager\unins000.exe"

Gaberoff Koral Free German Dictionary 1.0-->C:\PROGRA~1\GABERO~1\GABERO~1.0\UNWISE.EXE C:\PROGRA~1\GABERO~1\GABERO~1.0\INSTALL.LOG

Gaberoff Koral German Dictionary 1.01-->C:\PROGRA~1\GABERO~1\GABERO~2.0\UNWISE.EXE C:\PROGRA~1\GABERO~1\GABERO~2.0\INSTALL.LOG

Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall

Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"

HP Customer Participation Program 9.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat

HP LaserJet 3050/3052/3055/3390/3392 4.0-->C:\Program Files\HP\Digital Imaging\{63B8035B-0743-45d3-A38D-B15B88F63EF7}\setup\hpzscr01.exe -datfile hppscr02.dat -onestop -forcereboot

HP LaserJet M2727 MFP Series 5.0-->C:\Program Files\HP\Digital Imaging\{3A915D43-FD4F-4e4f-BEF7-B75C160B0236}\setup\hpzscr01.exe -datfile hppscr07.dat -onestop -forcereboot

HP OrderReminder-->"C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1018

HPSSupply-->MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}

Image Resizer Powertoy for Windows XP-->MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}

Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572

IrfanView 3.98-->MsiExec.exe /I{C65E99C9-C379-4A2F-8D9C-246324676A1A}

ISO Recorder-->MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}

J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}

K-Lite Mega Codec Pack 1.47-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"

KoralSoft - EuroDictXP-->C:\Program Files\KoralSoft\EuroDictXP\Uninstall.exe

LaserJet 1018-->C:\Program Files\Zenographics\{C5E5ABB7-4B72-4538-90A8-F2D7C0A8656E}\setup.exe -u "HPLJInstaller.dll=Hplj1018.inf"

LClock-->C:\Program Files\LClock\Uninstall.exe

Macromedia Flash Player 8-->MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0-->MsiExec.exe /X{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}

Microsoft Color Control Panel Applet for Windows XP-->MsiExec.exe /X{CE378F36-E404-4244-A33F-F50A2A6D31BD}

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Microsoft Plus! for Windows XP-->MsiExec.exe /I{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}

Mozilla Firefox (2.0.0.20)-->C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe

MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}

MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

NTREGOPT 1.1j-->"C:\Program Files\NT Registry Optimizer\unins000.exe"

PC Connectivity Solution-->MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}

PC-Bibliothek Express-->C:\WINDOWS\unin0407.exe -fC:\PC-BIB\DeIsL1.isu -cC:\PC-BIB\_ISREG32.DLL

PDF reDirect (remove only)-->C:\Program Files\PDF reDirect\Uninstall.exe

PeaZip 1.9.2-->"C:\Program Files\PeaZip\unins000.exe"

PeerGuardian 2.0-->"C:\Program Files\PeerGuardian2\unins000.exe"

Picture Resize Genius 2.8.2-->"C:\Program Files\Picture Resize Genius\unins000.exe"

RegShot 1.7-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\UberPack.inf,reguninstall

SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe

SAMSUNG Mobile Composite Device Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe

Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe

SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe

SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe

Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0019 -removeonly

Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}

Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"

Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"

Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"

Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"

Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"

Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"

Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"

Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"

Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"

Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"

Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"

Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"

Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"

Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"

Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"

Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"

Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"

Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"

Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"

Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"

Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"

Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"

Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"

Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"

Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"

Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"

Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"

Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"

Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}

SmartMovie Converter-->"C:\Program Files\Lonely Cat Games\SmartMovie Converter\IIUninst.exe" C:\Program Files\Lonely Cat Games\SmartMovie Converter\install.log

SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"

SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}

TaskSwitchXP-->C:\Program Files\TaskSwitchXP\uninst.exe

The_Pirate_Bay Toolbar-->C:\PROGRA~1\THE_PI~1\UNWISE.EXE C:\PROGRA~1\THE_PI~1\INSTALL.LOG

TRADER.BG2 1.39-->"C:\Program Files\TRADER.BG2\unins000.exe"

Ulead Photo Express 5 SE-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31383A1D-FAE6-435A-9DBD-FDB61C7C8EC9}\Setup.exe" -l0x9

UltraVNC 1.0.4 RC6-->"C:\Program Files\UltraVNC\unins000.exe"

Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"

Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"

Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"

Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"

Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"

Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"

Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"

Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"

Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"

Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"

Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"

Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"

Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"

VideoLAN VLC media player 0.8.4-->C:\Program Files\VideoLAN\VLC\uninstall.exe

Winamp 5.12-->MsiExec.exe /I{5EF042E2-7F7D-49DA-BFB0-EE2CE566F6DA}

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}

Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"

Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"

Securitycenter WMI appears to be broken

======System event log======

Computer Name: USER1

Event Code: 3004

Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {068D88D0-7B79-4862-983E-36D35AD11A46}

User: USER1\USER

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;file:C:\WINDOWS\system32\spoolsv.exe

Alert Type: Unclassified software

Detection Type:

Record Number: 6662

Source Name: WinDefend

Time Written: 20090326094711.000000+120

Event Type: warning

User:

Computer Name: USER1

Event Code: 3004

Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {09BF4E08-36EF-49C7-8A21-BDD64E67FBB2}

User: USER1\USER

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;file:C:\WINDOWS\system32\spoolsv.exe

Alert Type: Unclassified software

Detection Type:

Record Number: 6660

Source Name: WinDefend

Time Written: 20090326094207.000000+120

Event Type: warning

User:

Computer Name: USER1

Event Code: 3004

Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {C7386FDE-405E-476B-A65A-C5075E6F6F3B}

User: USER1\USER

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;file:C:\WINDOWS\system32\spoolsv.exe

Alert Type: Unclassified software

Detection Type:

Record Number: 6658

Source Name: WinDefend

Time Written: 20090326093704.000000+120

Event Type: warning

User:

Computer Name: USER1

Event Code: 3004

Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {4C83599B-20A0-4332-B0DD-FC177EABB591}

User: USER1\USER

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;file:C:\WINDOWS\system32\spoolsv.exe

Alert Type: Unclassified software

Detection Type:

Record Number: 6656

Source Name: WinDefend

Time Written: 20090326093159.000000+120

Event Type: warning

User:

Computer Name: USER1

Event Code: 3004

Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {F4B968A5-CED9-4078-9824-2EB07017A565}

User: USER1\USER

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolsv.exe;file:C:\WINDOWS\system32\spoolsv.exe

Alert Type: Unclassified software

Detection Type:

Record Number: 6654

Source Name: WinDefend

Time Written: 20090326092654.000000+120

Event Type: warning

User:

=====Application event log=====

Computer Name: USER1

Event Code: 11

Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdo...authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Record Number: 721

Source Name: crypt32

Time Written: 19800209234002.000000+120

Event Type: error

User:

Computer Name: USER1

Event Code: 11

Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdo...authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Record Number: 718

Source Name: crypt32

Time Written: 19800209234002.000000+120

Event Type: error

User:

Computer Name: USER1

Event Code: 11

Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdo...authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Record Number: 717

Source Name: crypt32

Time Written: 19800209234002.000000+120

Event Type: error

User:

Computer Name: USER1

Event Code: 11

Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdo...authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Record Number: 714

Source Name: crypt32

Time Written: 19800209234002.000000+120

Event Type: error

User:

Computer Name: USER1

Event Code: 11

Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdo...authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Record Number: 713

Source Name: crypt32

Time Written: 19800209234002.000000+120

Event Type: error

User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel

"PROCESSOR_REVISION"=0304

"NUMBER_OF_PROCESSORS"=1

"DEVMGR_SHOW_DETAILS"=1

"DEVMGR_SHOW_NONPRESENT_DEVICES"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

@mima_ruse_71

Изтеглете програмата RSIT и я стартирайте.

Изберете Continue на диалоговия прозорец и след приключването на проверката, публикувайте двата лог файла, който тя ще създаде.

(ps: или просто ги отворете и чрез copy/paste публикувайте резултатите в следващия си пост).

Аз излизам за малко и ще ги анализирам веднага щом се прибера !

Ето и другият:

Logfile of random's system information tool 1.06 (written by random/random)

Run by USER at 2009-04-02 17:28:44

Microsoft Windows XP Professional Service Pack 2

System drive C: has 18 GB (48%) free of 38 GB

Total RAM: 503 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:29, on 2009-04-02

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\LClock\LClock.exe

C:\WINDOWS\system32\mmm.exe

C:\WINDOWS\system32\StartupMonitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\Utilities\Eraser\eraser.exe

C:\Program Files\Free Download Manager\fdm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Cyrilla\nav2000.exe

C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe

C:\PROGRA~1\BXNEWF~1\bxExpHelper.exe

C:\Documents and Settings\USER\Desktop\RSIT.exe

C:\Program Files\trend micro\USER.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.bg/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)

R3 - URLSearchHook: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe0.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)

O3 - Toolbar: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe0.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [KelsPakSoft] C:\WINDOWS\system32\mmm.exe

O4 - HKLM\..\Run: [startupMonitor] "C:\WINDOWS\system32\StartupMonitor.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Utilities\Eraser\eraser.exe -hide

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [addon_ql] C:\WINDOWS\system32\dgfix.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Eraser] "C:\Program Files\Utilities\Eraser\eraser.exe" -hide (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F9850A90-F270-4BE2-9D2E-F5DE24EBD9C7}: NameServer = 212.39.90.42,212.39.90.43

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--

End of file - 8305 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51C8BCA8-2524-4523-BF09-738C4EEBFC58}]

bxNewFolder - C:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL [2004-03-11 191488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a33fa729-d155-4b23-842b-2c665ecabdb6}]

The Pirate Bay Toolbar - C:\Program Files\The_Pirate_Bay\tbThe0.dll [2009-03-10 1883672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-05-04 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]

FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdmcks.dll [2006-08-20 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

{855F3B16-6D32-4fe6-8A56-BBB695989046} - ICQ Toolbar - C:\PROGRA~1\ICQTOO~1\toolbaru.dll []

{a33fa729-d155-4b23-842b-2c665ecabdb6} - The Pirate Bay Toolbar - C:\Program Files\The_Pirate_Bay\tbThe0.dll [2009-03-10 1883672]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]

"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]

"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]

"LClock"=C:\Program Files\LClock\LClock.exe [2004-09-19 65536]

"KelsPakSoft"=C:\WINDOWS\system32\mmm.exe [2005-07-05 828416]

"StartupMonitor"=C:\WINDOWS\system32\StartupMonitor.exe [2005-11-01 86016]

"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-05-16 79224]

"Ulead Photo Express Calendar Checker"=C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe [2004-01-12 69632]

"ToolBoxFX"=C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2008-01-10 53248]

"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Eraser"=C:\Program Files\Utilities\Eraser\eraser.exe [2003-07-25 536576]

"Free Download Manager"=C:\Program Files\Free Download Manager\fdm.exe [2006-08-23 2068527]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

c:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]

c:\Program Files\HP\HP UT\bin\hppusg.exe [2007-08-31 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [2006-01-30 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe -onlytray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]

C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe [2005-08-24 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]

c:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2008-01-10 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]

C:\PROGRA~1\IVTCOR~1\BLUESO~1\BLUESO~1.EXE []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\netmon32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\netmon32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"DisableStatusMessages"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoResolveTrack"=1

"LinkResolveIgnoreLinkInfo "=1

"NoSMConfigurePrograms"=1

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"ForceClassicControlPanel"=

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\µTorrent\µTorrent.exe"="C:\Program Files\µTorrent\µTorrent.exe:*:Enabled:µTorrent"

"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

"C:\hp_LJ3050-3052-3055-3390-3392_Full_Solution\setup\hppniprint01.exe"="C:\hp_LJ3050-3052-3055-3390-3392_Full_Solution\setup\hppniprint01.exe:*:Enabled:hppniprint01.exe"

"C:\hp_LJ3050-3052-3055-3390-3392_Full_Solution\setup\hpntwkexe.exe"="C:\hp_LJ3050-3052-3055-3390-3392_Full_Solution\setup\hpntwkexe.exe:*:Enabled:hpntwkexe.exe"

"C:\Program Files\UltraVNC\vncviewer.exe"="C:\Program Files\UltraVNC\vncviewer.exe:*:Enabled:vncviewer.exe"

"C:\Program Files\HP\hp laserjet m2727\Fax Config utility0.exe"="C:\Program Files\HP\hp laserjet m2727\Fax Config utility0.exe:*:Enabled:HP Networked Printer Installer"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

"C:\WINDOWS\system\netmon.exe"="C:\WINDOWS\system\netmon.exe:*:Microsoft Enabled"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5421dbae-1983-11dc-9c3a-00118514e4ae}]

shell\AutoRun\command - G:\USBNB.exe

======File associations======

.bat - edit - C:\WINDOWS\system32\NOTEPAD2.EXE %1

.cmd - edit - C:\WINDOWS\system32\NOTEPAD2.EXE %1

.inf - open - C:\WINDOWS\system32\NOTEPAD2.EXE %1

.ini - open - C:\WINDOWS\system32\NOTEPAD2.EXE %1

.js - edit - C:\WINDOWS\system32\Notepad2.exe %1

.reg - edit - C:\WINDOWS\system32\NOTEPAD2.EXE %1

.txt - open - C:\WINDOWS\system32\NOTEPAD2.EXE %1

.vbs - edit - C:\WINDOWS\system32\Notepad2.exe %1

======List of files/folders created in the last 1 months======

2009-04-02 17:28:48 ----D---- C:\Program Files\trend micro

2009-04-02 17:28:44 ----D---- C:\rsit

2009-04-02 10:35:47 ----D---- C:\Documents and Settings\USER\Application Data\FileZilla

2009-04-02 08:37:39 ----D---- C:\Avenger

2009-04-01 16:04:23 ----SHD---- C:\RECYCLER

2009-04-01 15:42:56 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-01 15:42:42 ----D---- C:\Program Files\SUPERAntiSpyware

2009-04-01 15:42:42 ----D---- C:\Documents and Settings\USER\Application Data\SUPERAntiSpyware.com

2009-04-01 15:42:04 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2009-04-01 15:22:10 ----A---- C:\ComboFix.txt

2009-04-01 14:28:07 ----D---- C:\Program Files\xerox

2009-04-01 14:28:06 ----D---- C:\WINDOWS\system32\xircom

2009-04-01 14:28:06 ----D---- C:\WINDOWS\srchasst

2009-04-01 14:28:06 ----D---- C:\Program Files\netmeeting

2009-04-01 14:28:06 ----D---- C:\Program Files\msn gaming zone

2009-04-01 14:28:06 ----D---- C:\Program Files\movie maker

2009-04-01 14:28:05 ----D---- C:\Program Files\microsoft frontpage

2009-04-01 14:20:33 ----A---- C:\WINDOWS\zip.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\VFIND.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\SWSC.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\SWREG.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\sed.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\NIRCMD.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\grep.exe

2009-04-01 14:20:33 ----A---- C:\WINDOWS\fdsv.exe

2009-04-01 14:20:27 ----D---- C:\WINDOWS\ERDNT

2009-04-01 14:20:22 ----D---- C:\Qoobox

2009-04-01 09:01:03 ----D---- C:\Documents and Settings\USER\Application Data\Malwarebytes

2009-04-01 09:00:50 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2009-04-01 09:00:49 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-03-31 13:31:17 ----A---- C:\WINDOWS\system32\ztvunrar36.dll

2009-03-31 13:31:17 ----A---- C:\WINDOWS\system32\ztvunace26.dll

2009-03-31 13:31:17 ----A---- C:\WINDOWS\system32\ztvcabinet.dll

2009-03-31 13:31:17 ----A---- C:\WINDOWS\system32\UNRAR3.dll

2009-03-31 13:31:17 ----A---- C:\WINDOWS\system32\unacev2.dll

2009-03-31 13:31:14 ----D---- C:\Documents and Settings\USER\Application Data\Simply Super Software

2009-03-27 10:41:18 ----A---- C:\WINDOWS\system32\msvcrt2.dll

======List of files/folders modified in the last 1 months======

2009-04-02 17:28:48 ----RD---- C:\Program Files

2009-04-02 17:28:48 ----D---- C:\WINDOWS\Prefetch

2009-04-02 17:28:47 ----D---- C:\WINDOWS\Temp

2009-04-02 17:28:32 ----D---- C:\Documents and Settings\USER\Application Data\Skype

2009-04-02 17:27:12 ----D---- C:\Documents and Settings\USER\Application Data\Free Download Manager

2009-04-02 15:53:45 ----D---- C:\Documents and Settings\USER\Application Data\uTorrent

2009-04-02 15:38:34 ----D---- C:\WINDOWS\system32\CatRoot2

2009-04-02 11:46:58 ----D---- C:\BLANKI

2009-04-02 11:18:33 ----D---- C:\Регистър полици

2009-04-02 10:25:26 ----D---- C:\Program Files\FileZilla

2009-04-02 09:53:07 ----SHD---- C:\WINDOWS\Installer

2009-04-02 09:53:07 ----HD---- C:\Config.Msi

2009-04-02 09:53:04 ----D---- C:\WINDOWS\system32

2009-04-02 09:53:03 ----D---- C:\Program Files\Common Files

2009-04-02 09:53:01 ----D---- C:\WINDOWS\inf

2009-04-02 09:52:42 ----D---- C:\WINDOWS

2009-04-02 09:50:05 ----A---- C:\WINDOWS\imsins.BAK

2009-04-02 09:19:55 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-04-02 09:16:01 ----SD---- C:\WINDOWS\Tasks

2009-04-02 09:12:58 ----D---- C:\WINDOWS\system

2009-04-02 08:39:57 ----D---- C:\WINDOWS\system32\drivers

2009-04-01 15:17:08 ----A---- C:\WINDOWS\system.ini

2009-04-01 15:13:44 ----D---- C:\WINDOWS\AppPatch

2009-04-01 14:28:07 ----D---- C:\WINDOWS\system32\wbem

2009-04-01 14:28:07 ----D---- C:\Program Files\Common Files\Microsoft Shared

2009-04-01 14:28:06 ----D---- C:\WINDOWS\ime

2009-04-01 14:28:06 ----D---- C:\Program Files\Windows NT

2009-04-01 14:26:24 ----D---- C:\WINDOWS\system32\config

2009-04-01 14:20:32 ----SHD---- C:\System Volume Information

2009-04-01 14:20:32 ----D---- C:\WINDOWS\system32\Restore

2009-04-01 13:58:12 ----D---- C:\Program Files\Mozilla Firefox

2009-03-31 16:37:21 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

2009-03-30 08:39:17 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-03-26 21:11:06 ----D---- C:\OraIns

2009-03-17 15:57:49 ----A---- C:\log.txt

2009-03-17 15:57:14 ----A---- C:\WINDOWS\ulead32.ini

2009-03-10 12:49:49 ----D---- C:\Program Files\The_Pirate_Bay

2009-03-10 10:16:44 ----A---- C:\WINDOWS\system32\Days5.ini

2009-03-10 09:55:00 ----D---- C:\Documents and Settings\USER\Application Data\ICQ Toolbar

2009-03-09 14:59:01 ----D---- C:\Documents and Settings

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-05-16 26944]

R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 78416]

R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-05-16 42912]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-27 36096]

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]

R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []

R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []

R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]

R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 20560]

R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-05-16 94416]

R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-03-13 100224]

R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-05-16 23152]

R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-08-23 134272]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]

R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]

R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []

R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]

R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-08-01 27008]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-09-16 57856]

R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]

S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys []

S3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys []

S3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys []

S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys []

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]

S3 QV2KUX;Casio Digital Camera; C:\WINDOWS\system32\DRIVERS\qv2kux.sys [2001-08-17 3328]

S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]

S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ssm_bus.sys [2005-08-30 58320]

S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys [2005-08-30 8336]

S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys [2005-08-30 94000]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]

S3 sysdrv32;Play Port I/O Driver; \??\C:\WINDOWS\system32\drivers\sysdrv32.sys []

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2005-06-16 31744]

S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-12-28 26368]

S3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys []

S3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys []

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-05-16 17272]

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-05-16 144760]

R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

R2 uvnc_service;uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2007-12-09 1148480]

R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-05-16 349560]

R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]

S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-05-16 247160]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]

S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-12 138168]

S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2005-09-03 163840]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-12-10 353280]

S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-11-24 38912]

-----------------EOF-----------------

Значи един приятел има проблем с програмите в windows и по-точно, когато отваря, инсталира или деинсталира програми. Появява това:

Windows cannot acces the specified device, patch or file. You may not have the apporopriate permissions to access the item.

Nod32 му засича този троянец: c:/windows/system32/6to4v32.dll/Win32/Agent.BYVM trojan, но няма възможност да го изтрие нито постави под карантина или каквото и да е друго освен да го остави. Опитах се да му пратя avgfree, но както споменах не може да се инсталира. Проблема се появил след инсталацията на няколко версии на bsplayer-а. НЕ всички програми имат този проблем. Скайпа и Интернет Експлорера тръгват. Моля, предложете решение на проблема

Текущите стъпки са САМО И ИЗЦЯЛО за mima_ruse_71 !

1. От Control Panel-a => Add/Remove Programs деинсталирай следните програми:

Google Toolbar for Internet Explorer

TaskSwitchXP

The_Pirate_Bay Toolbar

2. Стартирай HijackThis и избери опцията "Do a system scan only"

Маркирай следните редове:

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)

R3 - URLSearchHook: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program

Files\The_Pirate_Bay\tbThe0.dll

O2 - BHO: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe0.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)

O3 - Toolbar: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe0.dll

O4 - HKLM\..\Run: [KelsPakSoft] C:\WINDOWS\system32\mmm.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [addon_ql] C:\WINDOWS\system32\dgfix.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32

\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32

\syssetup.dll" (User 'Default user')

Затвори браузъра и в HijackThis избери Fix Cheched.

3. Спри защитата на антивирусната си програма в реално време.

Изтегли ComboFix.

Отвори Notepad и въведи:

KILLALL::

Rootkit::

C:\WINDOWS\system32\drivers\sysdrv32.sys

Driver::

sysdrv32

hpqcxs08

File::

C:\WINDOWS\system32\mmm.exe

C:\WINDOWS\system\netmon.exe

C:\ComboFix.txt

C:\WINDOWS\zip.exe

C:\WINDOWS\VFIND.exe

C:\WINDOWS\SWXCACLS.exe

C:\WINDOWS\SWSC.exe

C:\WINDOWS\SWREG.exe

C:\WINDOWS\sed.exe

C:\WINDOWS\NIRCMD.exe

C:\WINDOWS\grep.exe

C:\WINDOWS\fdsv.exe

C:\WINDOWS\imsins.BAK

C:\log.txt

C:\WINDOWS\system32\Days5.ini

Folder::

C:\Program Files\trend micro

C:\Avenger

C:\WINDOWS\srchasst

C:\WINDOWS\ERDNT

C:\Qoobox

C:\Program Files\The_Pirate_Bay

C:\Documents and Settings\USER\Application Data\ICQ Toolbar

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\netmon32]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\netmon32]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

sysrst::

Запази файла с име CFScript и го провлачи в ComboFix както е показано на снимката.

Публикувай лог файла създаден от него.

Значи един приятел има проблем с програмите в windows и по-точно, когато отваря, инсталира или деинсталира програми. Появява това:

Windows cannot acces the specified device, patch or file. You may not have the apporopriate permissions to access the item.

Nod32 му засича този троянец: c:/windows/system32/6to4v32.dll/Win32/Agent.BYVM trojan, но няма възможност да го изтрие нито постави под карантина или каквото и да е друго освен да го остави. Опитах се да му пратя avgfree, но както споменах не може да се инсталира. Проблема се появил след инсталацията на няколко версии на bsplayer-а. НЕ всички програми имат този проблем. Скайпа и Интернет Експлорера тръгват. Моля, предложете решение на проблема

1. Изтеглете ComboFix

2. Запазете го на десктопа

3. Отворете Notepad и чрез copy/paste поставете в него следния текст:

KillAll::


File::

C:\WINDOWS\system32\6to4v32.dll

Запазете файла с името CFScript.txt и го поставете върху ComboFix.

След, като програмата приключи ще Ви изведе лог файла. Чрез Copy/Paste поставете информацията тук.

Текущите стъпки са САМО И ИЗЦЯЛО за mima_ruse_71 !

1. От Control Panel-a => Add/Remove Programs деинсталирай следните програми:

Google Toolbar for Internet Explorer

TaskSwitchXP

The_Pirate_Bay Toolbar

2. Стартирай HijackThis и избери опцията "Do a system scan only"

Маркирай следните редове:

Затвори браузъра и в HijackThis избери Fix Cheched.

3. Спри защитата на антивирусната си програма в реално време.

Изтегли ComboFix.

Отвори Notepad и въведи:

Запази файла с име CFScript и го провлачи в ComboFix както е показано на снимката.

Публикувай лог файла създаден от него.

Как се прави това?

"3. Спри защитата на антивирусната си програма в реално време"

Как се прави това?

"3. Спри защитата на антивирусната си програма в реално време"

Да си изключиш антивирусната.

Обикновено се прави с десен бутон на иконата в трея-->Disable/Turn Off/Shut Down/Suspend или нещо подобно.

Как се прави това?

"3. Спри защитата на антивирусната си програма в реално време"

Пробвай с десен бутон върху иконката долу в трея и виж дали не даваше там възможността за изключването.

Текущите стъпки са САМО И ИЗЦЯЛО за mima_ruse_71 !

1. От Control Panel-a => Add/Remove Programs деинсталирай следните програми:

Google Toolbar for Internet Explorer

TaskSwitchXP

The_Pirate_Bay Toolbar

2. Стартирай HijackThis и избери опцията "Do a system scan only"

Маркирай следните редове:

Затвори браузъра и в HijackThis избери Fix Cheched.

Когато стартирах HijackThis ми се появи следното /прикачам файлове/.

Някои от редовете, които си написал тук не ги виждам.

3. Спри защитата на антивирусната си програма в реално време.

Изтегли ComboFix.

Отвори Notepad и въведи:

Запази файла с име CFScript и го провлачи в ComboFix както е показано на снимката.

Публикувай лог файла създаден от него.

Когато стартирах HijackThis ми се отвори следното /прикачам файлове/. Някои от написаните от теб редове ги няма.

Редактирано 3 април 200917 г. от mima_ruse_71 (преглед на промените)

Когато стартирах HijackThis ми се отвори следното /прикачам файлове/. Някои от написаните от теб редове ги няма.

Маркирай тогава тези които ги имаш и продължи с останалите стъпки.

PS: На снимките си маркирала редове, които не съм посочил. Внимавайте...

СЪЖАЛЯВАМ ЗА ЗАБАВЯНЕТО, НО ИМАХ НЕОТЛОЖНА РАБОТА И НЯМАХ И ИНТЕРНЕТ !

Нямам представа какво става. Що опитам да го пратя по друг начин.

Получих файла, преди да го изтриете. Благодаря !

Отворете Notepad и въведете:

KILLALL::


Driver::

sysdrv32


File::

c:\windows\system\1sass.exe

c:\windows\system32\drivers\sysdrv32.sys


Folder::

C:\post.exe

C:\rsit


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lsass"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system\\1sass.exe"=-

Запазете файла с име CFScript и го провлачете в ComboFix.

Изключете System Restore:

Натискате с десен бутон в/у иконката My Computer на десктопа. В отверния прозорец селектирате таба System Restore и слагате тикче на Turn off System Restore или Turn off System Restore on all drives:

Спрете излишните програми които се стартират с Операционната Система.

Start => Run => напишете msconfig => отидете до колонката Startup => махнете отметките пред:

*SUPERAntispyware (и без това безплатната версия няма защита в реално време)

*eraser

и други програми от които мислите, че не е нужно да се стартират автоматично.

Ще чакам отговора ви, когато сте пред инфектираната машина в понеделник !

Редактирано 3 април 200917 г. от B-boy[StyLe] (преглед на промените)