Options
Attention! Adware and adware site - onlinecheck.antispywaredetector.org
We have the problem described by poisonfree (02-06-2006) in thread named "services.exe 100% cpu until connect to internet".
Our results -
Symptoms -
1. "services.exe 100% cpu until connect to internet" (by poisonfree)
2. services.exe tried to contact onlinecheck.antispywaredetector.org
3. This software sends search requests to Google and firefoxupdatecenter and then sends requests to founded sites
see lines from our firewall log -
[27/Feb/2006 19:02:13] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=download
[27/Feb/2006 19:02:13] DROP URL 'Spy/Ad-Ware' HTTP GET http_://ftp.icq.com/pub/ICQ_Win95_98_NT4/ICQ_5/icq5_setup.exe (!!!! I use Miranda and don't need ICQ distributive!!!!)
[27/Feb/2006 19:02:15] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=viagra (!!!! I don't need viagra yet!!!! ))) )
[27/Feb/2006 19:12:15] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=crack
[27/Feb/2006 19:12:15] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
[27/Feb/2006 19:13:15] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=soft
[27/Feb/2006 19:13:15] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
[27/Feb/2006 19:22:16] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=porno
[27/Feb/2006 19:22:16] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
[27/Feb/2006 19:23:56] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=free
[27/Feb/2006 19:26:16] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=porno
[27/Feb/2006 19:26:16] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
(I don't know why requests to update.firefoxupdatecenter.net are POSTed!)
Computer was tested with Dr.Web, AVZ, SpyBot and BitDefender Online Scanner v8. All utilities with latest updates doesn't see any problem!
4. I've tested different firewalls on infected machine - Outpost, Zone Alarm and Kerio WinRoute. There was extremly high processor loading (up to 100%) on startup with Oupost (as described by poisonfree) and Zone Alarm. Test with WinRoute shows normal proccessor loadind but computer again sends unwanted http requests (see log). It seems to me very high loading was caused by conflict between adware and firewall components.
Now I blocked this malware and it's unwanted trafic on infected machine. But I don't know how to cure it. Any comments? Recommendations?
HJT log -
Logfile of HijackThis v1.99.1
Scan saved at 8:43:22, on 28.02.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\crypserv.exe
D:\WINNT\System32\svchost.exe
e:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\LogWatNT.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
e:\PROGRA~1\DrWeb\SpiderNT.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
e:\Program Files\Kerio\WinRoute Firewall\winroute.exe
D:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\taskmgr.exe
D:\WINNT\SOUNDMAN.EXE
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Ahead\InCD\InCD.exe
D:\WINNT\system32\HotFixQ0306270.exe
E:\PROGRA~1\DrWeb\spidernt.exe
E:\Program Files\DrWeb\drwebscd.exe
E:\Program Files\TrafficCompressor\TCompres.exe
E:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Microsoft Office\Office\1049\OLFSNT40.EXE
E:\Program Files\Microsoft Office\Office\1049\msoffice.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Distr3\HijackThis.exe
E:\Program Files\Far\Far.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Радио - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] e:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PLFFAP] D:\WINNT\system32\HotFixQ0306270.exe
O4 - HKLM\..\Run: [SpIDerNT] e:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [DrWebScheduler] "E:\Program Files\DrWeb\drwebscd.exe"
O4 - HKLM\..\Run: [TrafficCompressor] e:\Program Files\TrafficCompressor\TCompres.exe /Autorun
O4 - HKCU\..\Run: [WrCtrl] "e:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Порт Symantec Fax Starter Edition.lnk = E:\Program Files\Microsoft Office\Office\1049\OLFSNT40.EXE
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C751B5A-3D06-4AA0-8778-D2EE23359F66}: NameServer = 217.66.16.35 217.66.22.130
O23 - Service: Оповещатель (Alerter) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Управление приложениями (AppMgmt) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Обозреватель компьютеров (Browser) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DHCP-клиент (Dhcp) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Служба администрирования диспетчера логических дисков (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Диспетчер логических дисков (dmserver) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: DNS-клиент (Dnscache) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Служба факсов (Fax) - Корпорация Майкрософт - D:\WINNT\system32\faxsvc.exe
O23 - Service: ICONICS License Server (GenRegistrar) (GenRegistrar) - ICONICS, Inc. - e:\Program Files\ICONICS\GENESIS-32\Bin\GenRegistrarServer.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - e:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - e:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - e:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Сервер (lanmanserver) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Рабочая станция (lanmanworkstation) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Служба поддержки TCP/IP NetBIOS (LmHosts) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - D:\WINNT\LogWatNT.exe
O23 - Service: Служба сообщений (Messenger) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - D:\WINNT\System32\mnmsrvc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - D:\DOCUME~1\Andrew\LOCALS~1\Temp\IXP000.TMP\MsiExec.exe (file missing)
O23 - Service: Служба сетевого DDE (NetDDE) - Корпорация Майкрософт - D:\WINNT\system32\netdde.exe
O23 - Service: Диспетчер сетевого DDE (NetDDEdsdm) - Корпорация Майкрософт - D:\WINNT\system32\netdde.exe
O23 - Service: Сетевой вход в систему (Netlogon) - Корпорация Майкрософт - D:\WINNT\System32\lsass.exe
O23 - Service: Поставщик поддержки безопасности NT LM (NtLmSsp) - Корпорация Майкрософт - D:\WINNT\System32\lsass.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Агент политики IPSEC (PolicyAgent) - Корпорация Майкрософт - D:\WINNT\System32\lsass.exe
O23 - Service: Защищенное хранилище (ProtectedStorage) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Диспетчер учетных записей безопасности (SamSs) - Корпорация Майкрософт - D:\WINNT\system32\lsass.exe
O23 - Service: Модуль поддержки смарт-карт (SCardDrv) - Корпорация Майкрософт - D:\WINNT\System32\SCardSvr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - D:\WINNT\System32\SCardSvr.exe
O23 - Service: Планировщик заданий (Schedule) - Корпорация Майкрософт - D:\WINNT\system32\MSTask.exe
O23 - Service: Служба RunAs (seclogon) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - e:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: Оповещения и журналы производительности (SysmonLog) - Корпорация Майкрософт - D:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - D:\WINNT\system32\tlntsvr.exe
O23 - Service: Клиент отслеживания изменившихся связей (TrkWks) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Служба времени Windows (W32Time) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Инструментарий управления Windows (WinMgmt) - Корпорация Майкрософт - D:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - e:\Program Files\Kerio\WinRoute Firewall\winroute.exe
O23 - Service: Расширения драйвера оснастки управления Windows (Wmi) - Корпорация Майкрософт - D:\WINNT\system32\Services.exe
Our results -
Symptoms -
1. "services.exe 100% cpu until connect to internet" (by poisonfree)
2. services.exe tried to contact onlinecheck.antispywaredetector.org
3. This software sends search requests to Google and firefoxupdatecenter and then sends requests to founded sites
see lines from our firewall log -
[27/Feb/2006 19:02:13] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=download
[27/Feb/2006 19:02:13] DROP URL 'Spy/Ad-Ware' HTTP GET http_://ftp.icq.com/pub/ICQ_Win95_98_NT4/ICQ_5/icq5_setup.exe (!!!! I use Miranda and don't need ICQ distributive!!!!)
[27/Feb/2006 19:02:15] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=viagra (!!!! I don't need viagra yet!!!! ))) )
[27/Feb/2006 19:12:15] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=crack
[27/Feb/2006 19:12:15] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
[27/Feb/2006 19:13:15] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=soft
[27/Feb/2006 19:13:15] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
[27/Feb/2006 19:22:16] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=porno
[27/Feb/2006 19:22:16] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
[27/Feb/2006 19:23:56] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=free
[27/Feb/2006 19:26:16] DROP URL 'Spy/Ad-Ware' HTTP GET http_://www.google.com/search?hl=en&q=porno
[27/Feb/2006 19:26:16] DROP URL 'Spy/Ad-Ware' HTTP POST http_://update.firefoxupdatecenter.net/cgi-bin/nextbanner.cgi
(I don't know why requests to update.firefoxupdatecenter.net are POSTed!)
Computer was tested with Dr.Web, AVZ, SpyBot and BitDefender Online Scanner v8. All utilities with latest updates doesn't see any problem!
4. I've tested different firewalls on infected machine - Outpost, Zone Alarm and Kerio WinRoute. There was extremly high processor loading (up to 100%) on startup with Oupost (as described by poisonfree) and Zone Alarm. Test with WinRoute shows normal proccessor loadind but computer again sends unwanted http requests (see log). It seems to me very high loading was caused by conflict between adware and firewall components.
Now I blocked this malware and it's unwanted trafic on infected machine. But I don't know how to cure it. Any comments? Recommendations?
HJT log -
Logfile of HijackThis v1.99.1
Scan saved at 8:43:22, on 28.02.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\crypserv.exe
D:\WINNT\System32\svchost.exe
e:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\LogWatNT.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
e:\PROGRA~1\DrWeb\SpiderNT.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
e:\Program Files\Kerio\WinRoute Firewall\winroute.exe
D:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\taskmgr.exe
D:\WINNT\SOUNDMAN.EXE
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Ahead\InCD\InCD.exe
D:\WINNT\system32\HotFixQ0306270.exe
E:\PROGRA~1\DrWeb\spidernt.exe
E:\Program Files\DrWeb\drwebscd.exe
E:\Program Files\TrafficCompressor\TCompres.exe
E:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Microsoft Office\Office\1049\OLFSNT40.EXE
E:\Program Files\Microsoft Office\Office\1049\msoffice.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Distr3\HijackThis.exe
E:\Program Files\Far\Far.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Радио - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - E:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] e:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PLFFAP] D:\WINNT\system32\HotFixQ0306270.exe
O4 - HKLM\..\Run: [SpIDerNT] e:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [DrWebScheduler] "E:\Program Files\DrWeb\drwebscd.exe"
O4 - HKLM\..\Run: [TrafficCompressor] e:\Program Files\TrafficCompressor\TCompres.exe /Autorun
O4 - HKCU\..\Run: [WrCtrl] "e:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Порт Symantec Fax Starter Edition.lnk = E:\Program Files\Microsoft Office\Office\1049\OLFSNT40.EXE
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: d:\winnt\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: e:\program files\trafficcompressor\tcomplsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C751B5A-3D06-4AA0-8778-D2EE23359F66}: NameServer = 217.66.16.35 217.66.22.130
O23 - Service: Оповещатель (Alerter) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Управление приложениями (AppMgmt) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Обозреватель компьютеров (Browser) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DHCP-клиент (Dhcp) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Служба администрирования диспетчера логических дисков (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Диспетчер логических дисков (dmserver) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: DNS-клиент (Dnscache) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Служба факсов (Fax) - Корпорация Майкрософт - D:\WINNT\system32\faxsvc.exe
O23 - Service: ICONICS License Server (GenRegistrar) (GenRegistrar) - ICONICS, Inc. - e:\Program Files\ICONICS\GENESIS-32\Bin\GenRegistrarServer.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - e:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - e:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - e:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Сервер (lanmanserver) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Рабочая станция (lanmanworkstation) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Служба поддержки TCP/IP NetBIOS (LmHosts) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - D:\WINNT\LogWatNT.exe
O23 - Service: Служба сообщений (Messenger) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - D:\WINNT\System32\mnmsrvc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - D:\DOCUME~1\Andrew\LOCALS~1\Temp\IXP000.TMP\MsiExec.exe (file missing)
O23 - Service: Служба сетевого DDE (NetDDE) - Корпорация Майкрософт - D:\WINNT\system32\netdde.exe
O23 - Service: Диспетчер сетевого DDE (NetDDEdsdm) - Корпорация Майкрософт - D:\WINNT\system32\netdde.exe
O23 - Service: Сетевой вход в систему (Netlogon) - Корпорация Майкрософт - D:\WINNT\System32\lsass.exe
O23 - Service: Поставщик поддержки безопасности NT LM (NtLmSsp) - Корпорация Майкрософт - D:\WINNT\System32\lsass.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Агент политики IPSEC (PolicyAgent) - Корпорация Майкрософт - D:\WINNT\System32\lsass.exe
O23 - Service: Защищенное хранилище (ProtectedStorage) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Диспетчер учетных записей безопасности (SamSs) - Корпорация Майкрософт - D:\WINNT\system32\lsass.exe
O23 - Service: Модуль поддержки смарт-карт (SCardDrv) - Корпорация Майкрософт - D:\WINNT\System32\SCardSvr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - D:\WINNT\System32\SCardSvr.exe
O23 - Service: Планировщик заданий (Schedule) - Корпорация Майкрософт - D:\WINNT\system32\MSTask.exe
O23 - Service: Служба RunAs (seclogon) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - e:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: Оповещения и журналы производительности (SysmonLog) - Корпорация Майкрософт - D:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - D:\WINNT\system32\tlntsvr.exe
O23 - Service: Клиент отслеживания изменившихся связей (TrkWks) - Корпорация Майкрософт - D:\WINNT\system32\services.exe
O23 - Service: Служба времени Windows (W32Time) - Корпорация Майкрософт - D:\WINNT\System32\services.exe
O23 - Service: Инструментарий управления Windows (WinMgmt) - Корпорация Майкрософт - D:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - e:\Program Files\Kerio\WinRoute Firewall\winroute.exe
O23 - Service: Расширения драйвера оснастки управления Windows (Wmi) - Корпорация Майкрософт - D:\WINNT\system32\Services.exe
0