Downloader.Agent.IQT help
Hello! AVG finding Downloader.Agent.IQT in 2 files. I've look same problem in another thread, but there isn't any solve for my problem.
Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 20:07:10, on 14.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\{ECEEF44F-05DB-1049-0903-010626030007}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\MQ\command.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\totalcmd\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\thebat.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O20 - AppInit_DLLs: direct32.dll,inicfg32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-58-12-0000106 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
Thank you!
Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 20:07:10, on 14.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\{ECEEF44F-05DB-1049-0903-010626030007}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\MQ\command.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\totalcmd\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\thebat.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O20 - AppInit_DLLs: direct32.dll,inicfg32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-58-12-0000106 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
Thank you!
0
Comments
You have a nice malware collection there :sad2:
I must warn that one or more of the identified infections is a backdoor trojan
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.
We can give it a shot and fix your computer, let me know what you want to do
I've checked my computer with SpyBot and Ad-Aware, found some trojans and deleted them, but Downloader hasn't disappeared.
Kaspersky on-line test found a lot of trojans, too.
I wouldn't reformat my system ('cuz it's need a lot of time), let's try to solve my problems by any soft and ideas
PS Sorry for my english...
Here my last log HiJack:
Logfile of HijackThis v1.99.1
Scan saved at 1:27:39, on 16.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\X-Translator DIAMOND\XTRADIAMOND\PrmtXD.exe
C:\Program Files\X-Translator DIAMOND\Promtsvr.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\thebat.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O20 - AppInit_DLLs: direct32.dll,inicfg32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
We'll begin wit this:
Please download E2TakeOut. Extract the file to your Desktop
- Double click E2TakeOut.exe
- Click the Begin Removal button
- Wait until the program is finished scanning
- Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
- Reboot your computer
- Once your computer has rebooted E2TakeOut will open and produce a report
- Please copy/paste that report into your next reply
____Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Before you Post these Logs, Please Rename Hijackthis.exe To Rahina.exe And save the logfile and add it in your next reply to this thread.
Thanks :smiles:
Logs:
Logfile of HijackThis v1.99.1
Scan saved at 18:51:29, on 16.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\Rahina.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O20 - AppInit_DLLs: direct32.dll,
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
_________________________
E2TakeOut v1.01 [http://www.malwarebytes.org]
Removed orphaned leftovers
AppInit key reset
E2TakeOut v1.01 [http://www.malwarebytes.org]
Removed orphaned leftovers
AppInit key reset
_________________
SDFix: Version 1.72
Run by Ђ¤¬ЁЁбва в®а - 16.03.2007 / 18:36:38,35
Microsoft Windows XP [‚ҐабЁп 5.1.2600]
Running From: C:\CDFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\DOCUME~1\8CE5~1\LOCALS~1\Temp\tmp*.tmp - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\totalcmd\\TOTALCMD.EXE"="C:\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\eDonkey2000\\edonkey2000.exe"="C:\\Program Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:eDonkey2000 Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"C:\\Program Files\\NetPromoter\\Page Promoter\\PagePromoter.exe"="C:\\Program Files\\NetPromoter\\Page Promoter\\PagePromoter.exe:*:Enabled:PagePromoter"
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"="C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe:*:Enabled:Anapod Xtreamer"
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe:*:Enabled:Dreamweaver 8"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\QIP\\qip.exe"="C:\\Program Files\\QIP\\qip.exe:*:Enabled:Quiet Internet Pager"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
Backups Folder: - C:\CDFix\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\WINDOWS\system32\sysclasses.dll
C:\Documents and Settings\‘ и \Application Data\M?crosoft.NET\?poolsv.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\86E89D7119.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\‘ и \Њ®Ё ¤®Єг¬Ґвл\PHOTOS\roditeli\¬ ¬ -вгЁб\SIV2.tmp
C:\Documents and Settings\‘ и \Њ®Ё ¤®Єг¬Ґвл\projects\DUMA\clients\RINTER\~WRL2360.tmp
C:\Documents and Settings\‘ и \Њ®Ё ¤®Єг¬Ґвл\univer\§Ґ¬«п\2 ᥬҐбва, 2 Єгаб®ў п\~WRL3503.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\…ўа®аҐв\~WRL1778.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\Њ ¬ \ЂввҐбв жЁп\~WRL2098.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\Њ ¬ \„®Ј®ў®а 2006\~WRL0627.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\Њ ¬ \Њ®Ё ’Ґбвл\‘¬Ґи лҐ\~WRL0374.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\ЏЂЏЂ\¬ ¬ -вгЁб\SIV2.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\ЏЂЏЂ\Ќ®ў п Ї ЇЄ \¬ ¬ -вгЁб\SIV2.tmp
Finished
Logs:
Logfile of HijackThis v1.99.1
Scan saved at 18:51:29, on 16.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\Rahina.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O20 - AppInit_DLLs: direct32.dll,
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
_________________________
E2TakeOut v1.01 [http://www.malwarebytes.org]
Removed orphaned leftovers
AppInit key reset
E2TakeOut v1.01 [http://www.malwarebytes.org]
Removed orphaned leftovers
AppInit key reset
_________________
SDFix: Version 1.72
Run by Ђ¤¬ЁЁбва в®а - 16.03.2007 / 18:36:38,35
Microsoft Windows XP [‚ҐабЁп 5.1.2600]
Running From: C:\CDFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\DOCUME~1\8CE5~1\LOCALS~1\Temp\tmp*.tmp - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\totalcmd\\TOTALCMD.EXE"="C:\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\eDonkey2000\\edonkey2000.exe"="C:\\Program Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:eDonkey2000 Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"C:\\Program Files\\NetPromoter\\Page Promoter\\PagePromoter.exe"="C:\\Program Files\\NetPromoter\\Page Promoter\\PagePromoter.exe:*:Enabled:PagePromoter"
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"="C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe:*:Enabled:Anapod Xtreamer"
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe:*:Enabled:Dreamweaver 8"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\QIP\\qip.exe"="C:\\Program Files\\QIP\\qip.exe:*:Enabled:Quiet Internet Pager"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
Backups Folder: - C:\CDFix\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\WINDOWS\system32\sysclasses.dll
C:\Documents and Settings\‘ и \Application Data\M?crosoft.NET\?poolsv.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\86E89D7119.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\‘ и \Њ®Ё ¤®Єг¬Ґвл\PHOTOS\roditeli\¬ ¬ -вгЁб\SIV2.tmp
C:\Documents and Settings\‘ и \Њ®Ё ¤®Єг¬Ґвл\projects\DUMA\clients\RINTER\~WRL2360.tmp
C:\Documents and Settings\‘ и \Њ®Ё ¤®Єг¬Ґвл\univer\§Ґ¬«п\2 ᥬҐбва, 2 Єгаб®ў п\~WRL3503.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\…ўа®аҐв\~WRL1778.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\Њ ¬ \ЂввҐбв жЁп\~WRL2098.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\Њ ¬ \„®Ј®ў®а 2006\~WRL0627.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\Њ ¬ \Њ®Ё ’Ґбвл\‘¬Ґи лҐ\~WRL0374.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\ЏЂЏЂ\¬ ¬ -вгЁб\SIV2.tmp
C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«\ЏЂЏЂ\Ќ®ў п Ї ЇЄ \¬ ¬ -вгЁб\SIV2.tmp
Finished
Without this you are wide open to re-infection and other attacks. Once you have installed this, please reboot your machine.
Following are the links of two good antivirus (these are also free for personal use): ( Only Install 1 )
Avast Home Edition
AVG Anti-Virus
It is critical to have a anti virus to protect your system and to keep it updated.
So please connect any of these site to download and install the product immediately.
Without this you are wide open to re-infection and other attacks. Once you have installed this, please reboot your machine And Post a Fresh Hijackthis Logfile.
Anyway We are going to continue Cleaning up your system. :smiles:
Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! I Suggest you print these Instructions out.
Download ATF-Cleaner by Atribune to your desktop.
Do NOT run it yet.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Logfile of HijackThis v1.99.1
Scan saved at 22:28:59, on 18.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\Corel\Corel Paint Shop Pro X\Paint Shop Pro X.exe
C:\Program Files\HijackThis\Rahina.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\thebat.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O20 - AppInit_DLLs: direct32.dll,
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
______________________________
AVG Anti-Spyware - Scan Report
+ Created at: 21:37:14 18.03.2007
+ Scan result:
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091178.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bgcaafag.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cojmgdgo.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lbdcpdja.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\stub_ventjj.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091181.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091168.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091169.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091179.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\temp.fr5C00 -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091165.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0092141.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\temp.fr00C8 -> Adware.E2give : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\temp.fr9EC2 -> Adware.E2give : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0092139.dll -> Adware.E2give : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0092140.dll -> Adware.E2give : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091176.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091184.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Program Files\Outerinfo\OiUninstaller.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091175.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091167.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091172.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091173.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091174.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Application Data\Mіcrosoft.NET\ѕpoolsv.exe -> Adware.ValueAd : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_08.28.19\1375.html -> Downloader.Agent.bk : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_08.28.19\1376.html -> Downloader.Agent.bk : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_11.08.29\192.html -> Downloader.Agent.bk : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_11.08.29\193.html -> Downloader.Agent.bk : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\b128.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0092238.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\b104.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\b103.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
D:\SOFT\system\Nero Burning room 6.3.1.6\Keygen.exe -> Hijacker.Befins.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\Cache\31AFA46Fd01 -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\Cache\78DCA484d01 -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Local Settings\Temp\Temporary Internet Files\Content.IE5\TZ6825DC\nr[1].htm -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Documents and Settings\Саша\Мои документы\projects\ГОРОДКИ\материалы\капролон\Трансхимреактив.files\404.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.08.25_15.47.13\113.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.08.25_15.47.13\273.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.08.25_15.47.13\304.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_08.28.19\1305.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_11.08.29\122.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.07_11.44.12\147.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.08_12.10.03\142.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.08_12.10.03\421.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.08_12.10.03\463.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.08_12.10.03\468.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Program Files\NetPromoter\Page Promoter\Profiles\Road Int\Reports\Submission\2006.12.08_12.10.03\469.html -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0091166.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.32:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Саша\Local Settings\Temp\Cookies\саша@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.67:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.Texttbnru : Cleaned.
:mozilla.54:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.55:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.60:C:\Documents and Settings\Саша\Application Data\Mozilla\Firefox\Profiles\d8r1t9yd.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Саша\Local Settings\Temp\Cookies\саша@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP222\A0086880.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A22D15C4-99CA-4427-BDAA-E750DFE91717}\RP257\A0092161.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\MQ\gk.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wapisvtr.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
__________
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
__________
Please open HiJackThis and scan. Check the boxes next to all the entries listed below
O20 - AppInit_DLLs: direct32.dll,
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis
__________
Go to Start => Run and type services.msc
Press enter.
Scroll down to find this entry and double click on it:
Command Service
When its property page comes up, stop the service.
Set its startup type to disabled and apply.
Close the services console.
Go to Start => Run and type
sc delete "Command Service"
Remember the quotes " "
__________
Please download the OTMoveIt.
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
- Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.C:\WINDOWS\SYSTEM32\direct32.dll
C:\WINDOWS\MQ
_________
Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
o If it wants to install an ActiveX component allow ito It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report Along with a Fresh Hijackthis Logfile.
How are things running?
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
HiJack can't fix it, 'cuz process is runing. I've restarted HiJack and try it again: I checking, click "fix", but this entry don't deleting
well, look it, pls:
PANDA
Adware:adware program c:\windows\system32\key.~
Adware:adware/commad Windows Registry
Adware:adware/deskwizz Windows Registry
Adware:adware/sbsoft Windows Registry
Potentially unwanted tool:Application/Processor C:\CDFix\SDFix\apps\Process.exe
Spyware:Cookie/Statcounter C:\Documents and Settings\Саша\Cookies\саша@statcounter[1].txt
Spyware:Cookie/Yadro C:\Documents and Settings\Саша\Cookies\саша@yadro[1].txt
Spyware:Spyware/7r7t C:\Documents and Settings\Саша\Local Settings\Temp\contexapp.exe
Adware:Adware/NewAds C:\Documents and Settings\Саша\Local Settings\Temp\mc051706.exe
Adware:Adware/PurityScan C:\Documents and Settings\Саша\Local Settings\Temp\nsf8F.tmp\YazzleBundle-1220.exe
Adware:Adware/ActiveSearch C:\Documents and Settings\Саша\Local Settings\Temp\upd.exe
Potentially unwanted tool:Application/Processor C:\Documents and Settings\Саша\Рабочий стол\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/Comet C:\Downloads\maps.exe[Starware343.dll]
Adware:Adware/NewAds C:\Program Files\Common Files\misc001\mc-106.exe
Adware:Adware/Yazzle C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
OTM
File/Folder C:\WINDOWS\SYSTEM32\direct32.dll not found.
C:\WINDOWS\MQ moved successfully.
Created on 03.19.2007 00:03:09
HJT
Logfile of HijackThis v1.99.1
Scan saved at 3:20:26, on 19.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HijackThis\Rahina.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\thebat.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
Download ComboFix from Here or Here to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stallComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\‘ и \ђ Ў®зЁ© бв®«"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\cfg32.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\misc001\mc-106.exe
C:\Program Files\Outerinfo\outerinfo.ico
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\INSTALL.LOG
C:\WINDOWS\MQ
C:\Program Files\Common Files\{ECEEF~2
C:\Program Files\Common Files\{ECEEF~1
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Program Files\Outerinfo
C:\Program Files\windows
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\STEM32~1
C:\qoobox\purity\WINDOWS\STEM32~1\?гstem32
((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 ))))))))))))))))))))))))))))))))))
2007-03-18 19:02 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-18 18:02 <DIR> d
C:\malw
2007-03-16 18:35 786,432 --ah
C:\DOCUME~1\9335~1\NTUSER.DAT
2007-03-16 18:35 <DIR> dr
C:\DOCUME~1\9335~1\ѓ« ў®Ґ ¬Ґо
2007-03-16 18:35 <DIR> d--h
C:\DOCUME~1\9335~1\˜ Ў«®л
2007-03-16 18:35 <DIR> d
C:\DOCUME~1\9335~1\ђ Ў®зЁ© бв®«
2007-03-16 18:35 <DIR> d
C:\DOCUME~1\9335~1\Њ®Ё ¤®Єг¬Ґвл
2007-03-16 18:35 <DIR> d
C:\DOCUME~1\9335~1\€§Ўа ®Ґ
2007-03-16 18:32 <DIR> d
C:\CDFix
2007-03-15 21:50 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2007-03-15 12:02 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-03-15 11:59 <DIR> d
C:\Program Files\SpywareBlaster
2007-03-15 09:31 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-15 09:30 <DIR> d
C:\Program Files\Lavasoft
2007-03-15 09:30 <DIR> d
C:\DOCUME~1\8CE5~1\APPLIC~1\Lavasoft
2007-03-15 09:29 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2007-03-13 19:43 <DIR> d
C:\Program Files\QIP
2007-02-27 21:54 384 --a
C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000D-00001102-00000004-20051102}.dat
2007-02-27 21:54 384 --a
C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000D-00001102-00000004-20051102}.dat
2007-02-27 21:51 44,032
C:\WINDOWS\system32\CTSVCCDA.EXE
2007-02-27 21:51 25,088
C:\WINDOWS\system32\CTSVCCTL.EXE
2007-02-27 21:49 90,112
C:\WINDOWS\Updreg.EXE
2007-02-27 21:49 84,992
C:\WINDOWS\system32\SFCVRT32.DLL
2007-02-27 21:49 82,432
C:\WINDOWS\system32\CTWFLT32.DLL
2007-02-27 21:49 54,784
C:\WINDOWS\system32\INETWH32.DLL
2007-02-27 21:49 53,552
C:\WINDOWS\CTCCW.DLL
2007-02-27 21:49 26,768
C:\WINDOWS\system32\CTL3D.DLL
2007-02-27 21:49 24,976
C:\WINDOWS\CTRES.DLL
2007-02-27 21:49 149,504
C:\WINDOWS\system32\MFCANS32.DLL
2007-02-27 21:49 108,032
C:\WINDOWS\system32\MFCUIA32.DLL
2007-02-27 21:49 1,048,576
C:\WINDOWS\system32\SFMAN.DAT
2007-02-27 21:49 <DIR> d
C:\WINDOWS\system32\Defaults
2007-02-27 21:48 <DIR> d
C:\DOCUME~1\8CE5~1\APPLIC~1\Creative
2007-02-27 21:47 90,112 --a
C:\WINDOWS\system32\ctcoinst.dll
2007-02-27 21:47 53,312 --a
C:\WINDOWS\system32\upddrv9x.dll
2007-02-27 21:47 49,152 --a
C:\WINDOWS\system32\thk3216.dll
2007-02-27 21:47 184,320 --a
C:\WINDOWS\system32\ctdrvins.exe
2007-02-27 21:47 184 --a
C:\WINDOWS\system32\e000001.dat
2007-02-27 21:47 147,456 --a
C:\WINDOWS\system32\ctdvinst.dll
2007-02-27 21:47 110,592 --a
C:\WINDOWS\system32\instwdm.dll
2007-02-27 21:47 <DIR> d
C:\WINDOWS\system32\Data
2007-02-27 21:46 12,288 --a
C:\WINDOWS\system32\AHQCpURes.dll
2007-02-27 21:45 <DIR> d
C:\WINDOWS\system32\Win9X
2007-02-27 21:41 <DIR> d
C:\Program Files\Creative
2007-02-22 20:34 <DIR> d
C:\DOCUME~1\8CE5~1\Ќ®ў п Ї ЇЄ
2007-02-22 19:26 <DIR> d
C:\Program Files\WebClicker
2007-02-22 14:28 <DIR> d
C:\DOCUME~1\8CE5~1\APPLIC~1\M?crosoft.NET
2007-02-22 14:05 190 --ahs---- C:\WINDOWS\system32\sysclasses.dll
2007-02-22 14:05 <DIR> d
C:\Program Files\TopGen 2
2007-02-22 02:05 782,336 --a
C:\WINDOWS\system32\IlmImf.dll
2007-02-22 02:05 53,248 --a
C:\WINDOWS\system32\pmexr.dll
2007-02-22 02:05 353,280 --a
C:\WINDOWS\system32\pmtf2.dll
2007-02-22 02:05 242,176 --a
C:\WINDOWS\system32\PhotomatixLib.dll
2007-02-22 02:05 225,280 --a
C:\WINDOWS\system32\PhotomatixLib2.dll
2007-02-22 02:05 216,064 --a
C:\WINDOWS\system32\pmjp.dll
2007-02-22 02:05 205,824 --a
C:\WINDOWS\system32\pmtf1.dll
2007-02-22 02:05 204,288 --a
C:\WINDOWS\system32\pmtf3.dll
2007-02-22 02:05 110,592 --a
C:\WINDOWS\system32\PhotomatixLib3.dll
2007-02-22 02:05 11,776 --a
C:\WINDOWS\system32\pmbm.dll
2007-02-22 02:05 <DIR> d
C:\Program Files\Photomatix
2007-02-20 23:29 68,888 --a
C:\WINDOWS\system32\xinput1_3.dll
2007-02-20 23:29 62,744 --a
C:\WINDOWS\system32\xinput1_2.dll
2007-02-20 23:29 3,426,072 --a
C:\WINDOWS\system32\d3dx9_32.dll
2007-02-20 23:29 255,848 --a
C:\WINDOWS\system32\xactengine2_6.dll
2007-02-20 23:29 251,672 --a
C:\WINDOWS\system32\xactengine2_5.dll
2007-02-20 23:29 237,848 --a
C:\WINDOWS\system32\xactengine2_4.dll
2007-02-20 23:29 236,824 --a
C:\WINDOWS\system32\xactengine2_3.dll
2007-02-20 23:29 2,414,360 --a
C:\WINDOWS\system32\d3dx9_31.dll
2007-02-20 23:29 2,297,552 --a
C:\WINDOWS\system32\d3dx9_26.dll
2007-02-20 23:29 15,128 --a
C:\WINDOWS\system32\x3daudio1_1.dll
2007-02-20 23:20 89,360 --a
C:\WINDOWS\system32\VB5DB.DLL
2007-02-20 23:20 69,632 --a
C:\WINDOWS\system32\xmltok.dll
2007-02-20 23:20 36,864 --a
C:\WINDOWS\system32\xmlparse.dll
2007-02-20 23:20 26,064 --a
C:\WINDOWS\system32\xmlinst.exe
2007-02-20 23:20 <DIR> d
C:\Program Files\Ubi Soft
2007-02-20 23:15 <DIR> d
C:\Program Files\Red Storm Entertainment
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-19 02:08
d
C:\Program Files\winamp
2007-03-19 02:08
d
C:\Program Files\winamp
2007-03-19 02:07
d
C:\Program Files\the bat!
2007-03-19 02:07
d
C:\Program Files\the bat!
2007-03-19 02:06
d
C:\Program Files\quicktime
2007-03-19 02:06
d
C:\Program Files\quicktime
2007-03-19 01:55
d
C:\Program Files\office multimedia keyboard & mouse driver
2007-03-19 01:55
d
C:\Program Files\office multimedia keyboard & mouse driver
2007-03-13 23:33 2516 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-03-13 13:28
d
C:\Program Files\flashget
2007-03-13 13:28
d
C:\Program Files\flashget
2007-03-09 00:38
d
C:\Program Files\icqlite
2007-03-09 00:38
d
C:\Program Files\icqlite
2007-02-27 21:53
d--h
C:\Program Files\installshield installation information
2007-02-27 21:53
d--h
C:\Program Files\installshield installation information
2007-02-27 20:12 418 --a
C:\WINDOWS\toolbar2.dat
2007-02-26 01:36
d
C:\Program Files\semagic
2007-02-26 01:36
d
C:\Program Files\semagic
2007-02-18 22:05
d
C:\Program Files\opentype tools
2007-02-18 22:05
d
C:\Program Files\opentype tools
2007-02-18 18:34
d
C:\Program Files\pantone colorvision
2007-02-18 18:34
d
C:\Program Files\pantone colorvision
2007-02-18 18:34
d
C:\Program Files\pantone
2007-02-18 18:34
d
C:\Program Files\pantone
2007-02-18 18:34
d
C:\Program Files\horses
2007-02-18 18:34
d
C:\Program Files\horses
2007-02-18 02:17
d
C:\Program Files\quickgamma
2007-02-18 02:17
d
C:\Program Files\quickgamma
2007-01-26 13:18
d
C:\Program Files\bde
2007-01-26 13:18
d
C:\Program Files\bde
2007-01-12 21:31 56 -r-hs---- C:\WINDOWS\system32\86e89d7119.sys
2006-12-28 02:34 163600 --a
C:\WINDOWS\system32\wmaudsdk.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"The Bat!"="C:\\Program Files\\The Bat!\\thebat.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WireLessMouse"="C:\\Program Files\\Office Multimedia Keyboard & Mouse Driver\\MouseDrv.exe"
"WireLessKeyboard"="C:\\Program Files\\Office Multimedia Keyboard & Mouse Driver\\PS2USBKbdDrv.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"msinet"="C:\\WINDOWS\\system32\\msinet.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-19 10:44:12
____________________________________
Logfile of HijackThis v1.99.1
Scan saved at 11:56:12, on 19.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0.2\program\soffice.BIN
C:\Program Files\QIP\qip.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\Rahina.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ya.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: Yandex.Bar - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\WINDOWS\Downloaded Program Files\yndbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Page Promoter Bar - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\pagepromoterbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\thebat.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.2.lnk = C:\Program Files\OpenOffice.org 2.0.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Копировать в Semagic - C:\Program Files\Semagic\copy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144128572051
O16 - DPF: {91397D20-1446-11D4-8AF4-0040CA1127B6} (Yandex.Bar) - http://bar.yandex.ru/yndbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{921FC6A2-07CB-4396-A828-A4AF852B06B1}: NameServer = 212.188.4.10,195.34.32.116
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
The Folder colored with blue Starts with the following Characters, 8CE5...
C:\DOCUMENTS AND SETTINGS\8CE5\APPLICATION DATA\M?crosoft.NET
When you find the folder, delete it.
Please go Here to see how to show hidden files in windows.
Go to Virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\sysclasses.dll
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
_________
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Double-click find.bat, wait for the dos window to close and file.txt will appear on the desktop.
Please post the contents of file.txt in the next reply.
Continue working with my instructions.
STATUS: FINISHEDComplete scanning result of "sysclasses.dll", received in VirusTotal at 03.19.2007, 20:02:24 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.3.20.0 03.19.2007 no virus found
AntiVir 7.3.1.43 03.19.2007 no virus found
Authentium 4.93.8 03.17.2007 Not scanned (unknown file format)
Avast 4.7.936.0 03.19.2007 no virus found
AVG 7.5.0.447 03.19.2007 no virus found
BitDefender 7.2 03.19.2007 no virus found
CAT-QuickHeal 9.00 03.15.2007 no virus found
ClamAV devel-20070312 03.19.2007 no virus found
DrWeb 4.33 03.19.2007 no virus found
eSafe 7.0.14.0 03.19.2007 no virus found
eTrust-Vet 30.6.3491 03.19.2007 no virus found
Ewido 4.0 03.19.2007 no virus found
FileAdvisor 1 03.19.2007 no virus found
Fortinet 2.85.0.0 03.19.2007 no virus found
F-Prot 4.3.1.45 03.17.2007 no virus found
F-Secure 6.70.13030.0 03.19.2007 no virus found
Ikarus T3.1.1.3 03.19.2007 no virus found
Kaspersky 4.0.2.24 03.19.2007 no virus found
McAfee 4987 03.19.2007 no virus found
Microsoft 1.2306 03.19.2007 no virus found
NOD32v2 2127 03.19.2007 no virus found
Norman 5.80.02 03.19.2007 no virus found
Panda 9.0.0.4 03.19.2007 no virus found
Prevx1 V2 03.19.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 no virus found
Symantec 10 03.19.2007 no virus found
TheHacker 6.1.6.077 03.19.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.18.2007 no virus found
VirusBuster 4.3.7:9 03.19.2007 no virus found
Aditional Information
File size: 190 bytes
MD5: 36ab405f1d72c68841a5b341b69c7593
SHA1: 98532bd9999c99f27af146a9d85ae3bf90620a9b
___________________________________
Here is file.txt:
’®¬ ў гбва®©б⢥ C Ё¬ҐҐв ¬ҐвЄг DRIVE_C
‘ҐаЁ©л© ®¬Ґа ⮬ : ECEE-F44F
‘®¤Ґа¦Ё¬®Ґ Ї ЇЄЁ C:\Program Files
04.04.2006 23:13 <DIR> Microsoft.NET
0 д ©«®ў 0 Ў ©в
‘®¤Ґа¦Ё¬®Ґ Ї ЇЄЁ C:\WINDOWS
20.02.2007 23:29 <DIR> Microsoft.NET
0 д ©«®ў 0 Ў ©в
_______________
Kaspersky has fond a lot of viruses and etc in my trash folder in The Bat!, I think it isn't a problem and I'll clean that folder. So, Kaspersky's report is large, you can look it here (or I can post it here).
Thank you.
Unfortunately i have to go to school now, but i will post you instructions when i get home
by the way, may i ask where you are from? Your ip says your from Russia (Moscow)
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
____________
Could you please Empty your mailbox Located here
C:\Program Files\The Bat!\MAIL\roadint\Trash\MESSAGES
Empty It from all Suspicius Messages You can find or just empty the Whole Folder ( Ihope you have not Opened any of these Suspicius Messages) if you don't have any important messages saved you might want to Empty the whole mailbox.
When you are done with this, Please Re-scan using kaspersky and Send a Fresh Report
Before scan, I've cleaned all The Bat!'s trash folders, deleted some exe's files (but forgot to clean the recycle). I don't know why Kaspersky has found problems in trash, anyway, I've never run such files.
PS More correctly says: u tebja slojnij russkij jazik
Also Open Spybot And Empty It's Recovery.
_________
Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.
Instructions for using CCleaner:
Re-scan With Kaspersky and make sure you return with a Clean Report
Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum
If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead
Please download Deckard's System Scanner (DSS) to your desktop.