Options

ComboFix log

Hello everyone,

Can someone, please, help me with instructions on what I have to do next to clean my computer, because I don't understand much in the log generated by ComboFix.

Also, I only found the thread "WARNING: Do NOT run ComboFix" after I had already run the program. If that's true what can I do to save my computer data? At the current time I can see that nothing bad happens to my computer after running ComboFix, and I am not sure of what to do next.. Also, the link to ComboScan in some other thread turned out to be broken, so I failed to download that program too.

ComboFix log:
ComboFix 08-04-04.1 - User 2008-04-06 18:42:27.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.114 [GMT 4:00]
Running from: D:\BACKUP\DISTRIBUTIVE\AntiVirus\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\kmd.exe
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-05 13:55 . 2008-04-05 13:55 <DIR> d
C:\Program Files\Yahoo!
2008-04-01 16:26 . 2008-04-01 16:25 103,182 -r-hs---- C:\mvxm.cmd
2008-03-28 20:57 . 2008-03-28 19:57 103,953 -r-hs---- C:\gjn2pjlw.exe
2008-03-28 09:51 . 2008-03-28 09:51 <DIR> d
C:\Documents and Settings\User\Application Data\QQ Games Plugin
2008-03-28 09:45 . 2008-03-28 09:45 <DIR> d
C:\Documents and Settings\User\Application Data\acccore
2008-03-28 09:37 . 2008-03-28 09:37 <DIR> d
C:\Program Files\Tencent
2008-03-28 09:26 . 2008-03-28 09:26 <DIR> d
C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-28 09:26 . 2008-03-28 09:26 21 --a
C:\WINDOWS\atid.ini
2008-03-28 09:22 . 2008-03-28 09:22 <DIR> d
C:\Program Files\Viewpoint
2008-03-28 09:22 . 2008-03-28 09:22 <DIR> d
C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-28 09:21 . 2008-03-28 09:21 <DIR> d
C:\Program Files\Common Files\AOL
2008-03-28 09:21 . 2008-03-28 09:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-28 09:21 . 2008-03-28 09:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\AOL
2008-03-28 09:18 . 2008-03-28 09:18 <DIR> d
C:\Program Files\AIM6
2008-03-28 09:18 . 2008-03-28 09:38 870 --ah
C:\IPH.PH
2008-03-23 23:10 . 2003-08-18 02:00 15,360 -r-hs---- C:\aub0wb8.cmd
2008-03-20 17:26 . 2008-03-20 17:27 100,031 -r-hs---- C:\n2de.cmd
2008-03-17 10:31 . 2008-03-17 10:31 <DIR> d
C:\Documents and Settings\User\Application Data\skypePM
2008-03-17 10:31 . 2008-03-17 10:31 32 --a
C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-17 10:24 . 2008-03-17 10:24 <DIR> d
C:\Documents and Settings\User\Application Data\Skype
2008-03-17 10:22 . 2008-03-17 10:22 <DIR> d
C:\Program Files\Skype
2008-03-17 10:22 . 2008-03-17 10:22 <DIR> d
C:\Program Files\Common Files\Skype
2008-03-17 10:21 . 2008-03-17 10:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 14:35 31,052 --sh--r C:\WINDOWS\SYSTEM32\avpo0.dll
2008-03-24 00:17 101,081 ----a-w C:\WINDOWS\SYSTEM32\help.exe.tmp
2008-03-03 04:49 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe
2008-03-01 17:20 106,572 --sh--r C:\oufddh.exe
2008-02-19 15:25 107,052 --sh--r C:\gumkrhf.bat
2008-02-18 05:38 104,946 --sh--r C:\0hct8ybw.bat
2008-02-14 05:24
d
w C:\Program Files\VstPlugins
2008-02-14 05:23
d
w C:\Program Files\Image-Line
2008-02-14 03:51 102,211 --sh--r C:\x.com
2008-01-12 20:34 105,506 --sh--r C:\d.com
2007-11-16 05:47 266 --sh--w C:\Program Files\desktop.ini
2007-11-16 05:47 11,196 ---h--w C:\Program Files\folder.htt
2007-11-17 17:01 91,744 --sh--r C:\WINDOWS\SYSTEM32\avpo.exe
2007-12-18 18:49 44,608 --sh--r C:\WINDOWS\SYSTEM32\amvo2.dll
2007-05-09 07:12 30,001 --sha-r C:\WINDOWS\SYSTEM32\DRIVERS\spo0lsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}]
2008-03-10 07:47 454144 --a
C:\Program Files\ConnectionServices\ConnectionServices.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2003-08-18 02:00 15360]
"SuperCopier2.exe"="D:\BACKUP\DISTRIBUTIVE\SuperCopier2\SuperCopier2.exe" [2006-07-07 19:45 1052672]
"avpa"="C:\WINDOWS\system32\avpo.exe" [2007-11-17 21:01 91744]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-06-20 06:28 43008]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-07-15 13:43 3259904]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-06 23:51 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2003-08-18 02:00 15360]

C:\Documents and Settings\User\ѓ« ў*®Ґ ¬Ґ*о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [2007-10-05 02:07:47 1158656]

C:\Documents and Settings\All Users\ѓ« ў*®Ґ ¬Ґ*о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
Monitor Apache Servers.lnk - D:\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-04-16 14:26:08 41042]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-04 20:27:36 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\FileZilla Client\\filezilla.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 MySQL5;MySQL5;"D:\mysql\bin\mysqld-nt" --defaults-file="D:\mysql\my.ini" MySQL5 []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-05 00:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26c2f2e-a302-11dc-b47b-0030840fe6e7}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 18:44:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\User\LOCALS~1\Temp\mc22.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"D:\mysql\bin\mysqld-nt\" --defaults-file=\"D:\mysql\my.ini\" MySQL5"
.
Completion time: 2008-04-06 18:44:52
ComboFix-quarantined-files.txt 2008-04-06 14:44:50
ComboFix2.txt 2008-02-11 07:37:50
11 папок 313,638,912 байт свободно
14 папок 305,000,448 байт свободно
.
2008-02-14 00:01:28 --- E O F ---
Thanks much in advance,
Dennis.

Comments

  • edited April 2008
    Welcome to Icrontic DennisOnline,

    Actually, you do know that when starting ComboFix also caused your internal speakers there to sound off two loud beeps, and then posted a large banner stating you should not be running it this way. With an option to say No at that time. However, so far I have not seen a single person ever post saying they stopped at that point, and awaited advice in a thread here. Ah, I just noticed you also ran it from a drive other than the root drive there.

    And it did not take out the infection. Regroup time. Make no other changes now please unless we discuss them here. First let's get a different detailed view, then do repairs from that. Do not run ComboFix anymore, but make no other changes related to it.

    Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

    Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Options, place a check next to the following:

    Backup Registry Hives

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
  • edited April 2008
    Hello!

    Sorry for the delay!!

    I ran DSS and here are logs it generated. I hope these contain some important information on what's wrong with computer. Unfortunately, I have a Russian version of Window XP installed, thus some messages in the logs were generated in Russian, but I hope those errors and messages are common and could be easily recognized by professional, if not just let me know and I will translate them into English and publish again.

    Thanks much in advance!

    Dennis.

    main.txt
    :
    Deckard's System Scanner v20071014.68
    Run by User on 2008-04-11 17:33:25
    Computer is in Normal Mode.

    Backed up registry hives.

    Percentage of Memory in Use: 86% (more than 75%).
    Total Physical Memory: 256 MiB (512 MiB recommended).
    System Drive C: has 0.44 GiB (less than 15%) free.


    -- HijackThis Clone


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-04-11 17:34:41
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\SYSTEM32\smss.exe
    C:\WINDOWS\SYSTEM32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\SYSTEM32\services.exe
    C:\WINDOWS\SYSTEM32\lsass.exe
    C:\WINDOWS\SYSTEM32\svchost.exe
    C:\WINDOWS\SYSTEM32\svchost.exe
    C:\WINDOWS\SYSTEM32\svchost.exe
    C:\WINDOWS\SYSTEM32\svchost.exe
    C:\WINDOWS\SYSTEM32\svchost.exe
    C:\WINDOWS\SYSTEM32\spoolsv.exe
    D:\Apache Group\Apache2\bin\Apache.exe
    D:\mysql\bin\mysqld-nt.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\SYSTEM32\alg.exe
    D:\Apache Group\Apache2\bin\Apache.exe
    C:\WINDOWS\SYSTEM32\wscntfy.exe
    C:\WINDOWS\SYSTEM32\ctfmon.exe
    D:\BACKUP\DISTRIBUTIVE\SuperCopier2\SuperCopier2.exe
    C:\WINDOWS\SYSTEM32\wuauclt.exe
    D:\Apache Group\Apache2\bin\ApacheMonitor.exe
    D:\mysql\bin\winmysqladmin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\User\Рабочий стол\dss.exe
    C:\WINDOWS\explorer.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ConnectionServices module - {6D7B211A-88EA-490c-BAB9-3600D8D7C503} - C:\Program Files\ConnectionServices\ConnectionServices.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SuperCopier2.exe] D:\BACKUP\DISTRIBUTIVE\SuperCopier2\SuperCopier2.exe
    O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = D:\Apache Group\Apache2\bin\ApacheMonitor.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{76B75C2A-ABCC-4D90-879F-D4775D00E580}: NameServer = 212.1.104.10,0.0.0.0
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AE891785-96AF-42B0-98A8-B64892C892DE}: NameServer = 212.1.104.3
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
    O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    O23 - Service: Apache2 - Apache Software Foundation - D:\Apache Group\Apache2\bin\Apache.exe
    O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\services.exe
    O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\imapi.exe
    O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\mnmsrvc.exe
    O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
    O23 - Service: MySQL5 - Unknown owner - D:\mysql\bin\mysqld-nt
    O23 - Service: Служба сетевого DDE (NetDDE) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\netdde.exe
    O23 - Service: Диспетчер сетевого DDE (NetDDEdsdm) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\netdde.exe
    O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\services.exe
    O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\sessmgr.exe
    O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\scardsvr.exe
    O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\smlogsvc.exe
    O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\tlntsvr.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\vssvc.exe
    O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\SYSTEM32\wbem\wmiapsrv.exe


    --
    End of file - 6631 bytes

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    All drivers whitelisted.


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R2 Apache2 - "d:\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
    R2 MySql - d:/mysql/bin/mysqld-nt.exe
    R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

    S2 MySQL5 - "d:\mysql\bin\mysqld-nt" --defaults-file="d:\mysql\my.ini" mysql5 (file missing)


    -- Device Manager: Disabled

    No disabled devices found.


    -- Files created between 2008-03-11 and 2008-04-11

    2008-04-07 22:41:37 0 d
    C:\Documents and Settings\User\Application Data\Yahoo!
    2008-04-07 22:41:37 0 d
    C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-04-07 00:31:12 0 d
    C:\digitalvideoconverter
    2008-04-07 00:30:45 0 d
    C:\Program Files\Digital Video Converter
    2008-04-06 19:13:12 70656 -r-hs---- C:\WINDOWS\system32\amvo1.dll
    2008-04-06 19:12:39 103268 -r-hs---- C:\pa39xth.cmd
    2008-04-06 19:12:08 70656 -r-hs---- C:\WINDOWS\system32\amvo0.dll
    2008-04-06 19:12:08 103268 -r-hs---- C:\WINDOWS\system32\amvo.exe
    2008-04-06 18:44:56 53248 --a
    C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-04-06 18:41:08 68096 --a
    C:\WINDOWS\zip.exe
    2008-04-06 18:41:08 49152 --a
    C:\WINDOWS\VFind.exe
    2008-04-06 18:41:08 212480 --a
    C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-04-06 18:41:08 136704 --a
    C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-04-06 18:41:08 161792 --a
    C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-04-06 18:41:08 98816 --a
    C:\WINDOWS\sed.exe
    2008-04-06 18:41:08 80412 --a
    C:\WINDOWS\grep.exe
    2008-04-06 18:41:08 73728 --a
    C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-04-05 13:55:46 0 d
    C:\Program Files\Yahoo!
    2008-04-01 16:26:09 103182 -r-hs---- C:\mvxm.cmd
    2008-03-28 20:57:04 103953 -r-hs---- C:\gjn2pjlw.exe
    2008-03-28 09:51:34 0 d
    C:\Documents and Settings\User\Application Data\QQ Games Plugin
    2008-03-28 09:45:24 0 d
    C:\Documents and Settings\User\Application Data\acccore
    2008-03-28 09:37:45 0 d
    C:\Program Files\Tencent
    2008-03-28 09:26:35 0 d
    C:\Documents and Settings\All Users\Application Data\AOL Downloads
    2008-03-28 09:22:10 0 d
    C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-03-28 09:22:05 0 d
    C:\Program Files\Viewpoint
    2008-03-28 09:21:54 0 d
    C:\Documents and Settings\All Users\Application Data\AOL OCP
    2008-03-28 09:21:53 0 d
    C:\Documents and Settings\All Users\Application Data\AOL
    2008-03-28 09:21:32 0 d
    C:\Program Files\Common Files\AOL
    2008-03-28 09:18:16 0 d
    C:\Program Files\AIM6
    2008-03-20 17:26:19 100031 -r-hs---- C:\n2de.cmd
    2008-03-17 10:31:48 0 d
    C:\Documents and Settings\User\Application Data\skypePM
    2008-03-17 10:31:48 32 --a
    C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2008-03-17 10:24:00 0 d
    C:\Documents and Settings\User\Application Data\Skype
    2008-03-17 10:22:29 0 d
    C:\Program Files\Skype
    2008-03-17 10:22:22 0 d
    C:\Program Files\Common Files\Skype
    2008-03-17 10:21:51 0 d
    C:\Documents and Settings\All Users\Application Data\Skype


    -- Find3M Report

    2008-04-12 06:59:24 31052 -r-hs---- C:\WINDOWS\system32\avpo0.dll
    2008-04-11 17:32:36 0 -rahs---- C:\ntde1ect.com
    2008-03-03 08:49:24 107132 --a
    C:\WINDOWS\UninstallFirefox.exe
    2008-03-03 08:47:32 3048 --a
    C:\WINDOWS\mozver.dat
    2008-03-01 21:20:18 106572 -r-hs---- C:\oufddh.exe
    2008-02-19 19:25:18 107052 -r-hs---- C:\gumkrhf.bat
    2008-02-18 09:38:44 104946 -r-hs---- C:\0hct8ybw.bat
    2008-02-14 09:24:48 0 d
    C:\Program Files\VstPlugins
    2008-02-14 09:23:02 0 d
    C:\Program Files\Image-Line
    2008-02-14 07:51:34 102211 -r-hs---- C:\x.com
    2008-02-12 17:11:30 346144 --a
    C:\WINDOWS\system32\perfh019.dat
    2008-02-12 17:11:30 49350 --a
    C:\WINDOWS\system32\perfc019.dat
    2008-01-13 00:34:24 105506 -r-hs---- C:\d.com


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}]
    07.04.2008 22:42 462336 --a
    C:\Program Files\ConnectionServices\ConnectionServices.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [16.04.2007 15:28 C:\WINDOWS\soundman.exe]
    "Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 22:16]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [18.08.2003 02:00]
    "SuperCopier2.exe"="D:\BACKUP\DISTRIBUTIVE\SuperCopier2\SuperCopier2.exe" [07.07.2006 19:45]
    "avpa"="C:\WINDOWS\system32\avpo.exe" [17.11.2007 21:01]
    "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [20.06.2007 06:28]
    "QIP2005"="C:\Program Files\QIP\qip.exe" [26.03.2008 00:32]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13.10.2004 19:24]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01.02.2008 17:22]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [06.03.2008 23:51]
    "amva"="C:\WINDOWS\system32\amvo.exe" [06.04.2008 19:13]

    C:\Documents and Settings\User\ѓ« ў*®Ґ ¬Ґ*о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
    WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [05.10.2007 2:07:47]

    C:\Documents and Settings\All Users\ѓ« ў*®Ґ ¬Ґ*о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
    Monitor Apache Servers.lnk - D:\Apache Group\Apache2\bin\ApacheMonitor.exe [16.04.2005 14:26:08]
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04.12.2007 20:27:36]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26c2f2e-a302-11dc-b47b-0030840fe6e7}]
    AutoRun\command- F:\ntde1ect.com
    explore\Command- F:\ntde1ect.com
    open\Command- F:\ntde1ect.com




    -- End of Deckard's System Scanner: finished at 2008-04-11 17:37:24
    extra.txt:
    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.

    -- System Information

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: Other (0419) - see http://preview.*******.com/mhhp6

    CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
    Percentage of Memory in Use: 89%
    Physical Memory (total/avail): 255.48 MiB / 25.67 MiB
    Pagefile Memory (total/avail): 618.6 MiB / 290.36 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1929.48 MiB

    A: is Removable (No Media)
    C: is Fixed (FAT32) - 24.96 GiB total, 0.44 GiB free.
    D: is Fixed (FAT32) - 30.87 GiB total, 1.48 GiB free.
    E: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - ST360021A - 55.9 GiB - 2 partitions
    \PARTITION0 (bootable) - Unknown - 25.01 GiB - C:
    \PARTITION1 - Расшир. Win95/98 c расшир. IRQ13 - 30.89 GiB - D:



    -- Security Center

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    FirstRunDisabled is set.


    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:bittorrent"
    "C:\\Program Files\\QIP\\qip.exe"="C:\\Program Files\\QIP\\qip.exe:*:Enabled:Quiet Internet Pager"
    "C:\\Program Files\\FileZilla Client\\filezilla.exe"="C:\\Program Files\\FileZilla Client\\filezilla.exe:*:Enabled:FileZilla FTP Client"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


    -- Environment Variables

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\User\Application Data
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=DENNIS
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\User
    LOGONSERVER=\\DENNIS
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;D:\mysql\bin
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0204
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
    TMP=C:\DOCUME~1\User\LOCALS~1\Temp
    USERDOMAIN=DENNIS
    USERNAME=User
    USERPROFILE=C:\Documents and Settings\User
    windir=C:\WINDOWS


    -- User Profiles

    User (admin)


    -- Add/Remove Programs

    --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Архиватор WinRAR --> C:\Program Files\WinRAR\uninstall.exe
    Пакет исправлений для Windows XP - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
    Пакет исправлений для Windows XP - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
    Пакет исправлений для Windows XP - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
    Пакет исправлений для Windows XP - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
    Пакет исправлений для Windows XP - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
    Пакет исправлений для Windows XP - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
    Пакет исправлений для Windows XP - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
    Пакет исправлений для Windows XP - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
    Обновление безопасности для Windows XP - (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP - (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB944338) --> "C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB944533) --> "C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB947864) --> "C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
    Обновление безопасности для Windows XP (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
    Обновление безопасности для проигрывателя Windows Media - (KB911564) --> "C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
    Обновление безопасности для проигрывателя Windows Media 6.4 - (KB925398) --> "C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
    Обновление безопасности для проигрывателя Windows Media 9 - (KB936782) --> "C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
    Обновление для Windows XP (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
    Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
    Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
    Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~1\Install.log
    AIM 6 --> C:\Program Files\AIM6\uninst.exe
    Aim Plugin for QQ Games --> C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE
    Apache HTTP Server 2.0.54 --> MsiExec.exe /I{3A862C7D-0504-48BC-AEF8-7F7479C7C158}
    BitTorrent 5.0.8 --> "C:\Program Files\BitTorrent\uninstall.exe"
    ConnectionServices --> "C:\Program Files\ConnectionServices\Uninstall.exe"
    Digital Video Converter v1.6.0.22 --> "C:\Program Files\Digital Video Converter\Uninstall.exe" "C:\Program Files\Digital Video Converter\install.log" -u
    EditPlus 2 --> C:\Program Files\EditPlus 2\remove.exe
    FileZilla Client 3.0.4.1 --> C:\Program Files\FileZilla Client\uninstall.exe
    FL Studio 6 --> C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
    FLV Player --> "C:\WINDOWS\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
    FLV Player 2.0, build 24 --> C:\Program Files\FLV Player\uninst.exe
    Guitar Pro 4.0 --> C:\PROGRA~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\GUITAR~1\INSTALL.LOG
    Guitar Pro 5.0 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
    Ipswitch WS_FTP Home 2007 --> C:\Program Files\InstallShield Installation Information\{11DE2361-9F73-47B3-B638-2F267927E307}\setup.exe -runfromtemp -l0x0009 -removeonly
    Microsoft Office - профессиональный выпуск версии 2003 --> MsiExec.exe /I{90110419-6000-11D3-8CFE-0150048383C9}
    Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    MySQL Server 5.0 --> MsiExec.exe /I{8AA037A8-E104-493A-A962-8D58535A0198}
    PADGen 3.0.1.35 --> "C:\Program Files\PADGen\unins000.exe"
    QIP 2005 Uninstall --> "C:\Program Files\QIP\unqip.exe"
    QQ Games --> C:\Program Files\Tencent\QQ Games\Uninstall.EXE
    Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x19 -removeonly
    Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
    Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
    Worldcraft 3 --> C:\PROGRA~1\WORLDC~1\UNWISE.EXE C:\PROGRA~1\WORLDC~1\INSTALL.LOG
    Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


    -- Application Event Log

    Event Record #/Type400 / Warning
    Event Submitted/Written: 04/10/2008 10:42:35 PM
    Event ID/Source: 100 / MySQL
    Event Description:
    Can't create test file D:\mysql\Data\dennis.lower-test

    For more information, see Help and Support Center at http://www.mysql.com.

    Event Record #/Type398 / Error
    Event Submitted/Written: 04/08/2008 06:51:10 PM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Ошибка приложения bittorrent.exe, версия 0.0.0.0, модуль unknown, версия 0.0.0.0, адрес 0x06598324.
    Выполняется специальное событие для [bittorrent.exe!ws!]

    Event Record #/Type397 / Error
    Event Submitted/Written: 04/08/2008 06:23:08 PM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Ошибка приложения wmplayer.exe, версия 9.0.0.3250, модуль flash.ocx, версия 7.0.14.0, адрес 0x00037999.
    Выполняется специальное событие для [wmplayer.exe!ws!]

    Event Record #/Type357 / Warning
    Event Submitted/Written: 04/06/2008 07:03:26 PM
    Event ID/Source: 100 / MySQL
    Event Description:
    Can't create test file D:\mysql\Data\dennis.lower-test

    For more information, see Help and Support Center at http://www.mysql.com.

    Event Record #/Type349 / Warning
    Event Submitted/Written: 04/01/2008 04:24:09 PM
    Event ID/Source: 100 / MySQL
    Event Description:
    Can't create test file D:\mysql\Data\dennis.lower-test

    For more information, see Help and Support Center at http://www.mysql.com.



    -- Security Event Log

    No Errors/Warnings found.


    -- System Event Log

    Event Record #/Type2992 / Warning
    Event Submitted/Written: 04/11/2008 04:42:37 PM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    Достигнут предел безопасности для TCP/IP, налагаемый на количество попыток одновременных TCP-подключений.

    Event Record #/Type2991 / Warning
    Event Submitted/Written: 04/11/2008 08:22:37 AM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    Достигнут предел безопасности для TCP/IP, налагаемый на количество попыток одновременных TCP-подключений.

    Event Record #/Type2990 / Warning
    Event Submitted/Written: 04/12/2008 07:22:38 AM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    Достигнут предел безопасности для TCP/IP, налагаемый на количество попыток одновременных TCP-подключений.

    Event Record #/Type2989 / Warning
    Event Submitted/Written: 04/12/2008 07:00:51 AM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    Достигнут предел безопасности для TCP/IP, налагаемый на количество попыток одновременных TCP-подключений.

    Event Record #/Type2972 / Error
    Event Submitted/Written: 04/12/2008 03:11:01 AM
    Event ID/Source: 7034 / Service Control Manager
    Event Description:
    Служба "MySQL5" неожиданно прервана. Это произошло (раз): 1.



    -- End of Deckard's System Scanner: finished at 2008-04-11 17:37:24
  • edited April 2008
    Some of the specialty scan tools we use, like ComboFix, have some heuristic-type functions that can target unknowns, and I don't think many of them include Russian language systems in their versions. Chancy just applying them on your system, without knowing if they will mistake a system critical item as bad because of this. The computer does have an fairly well documented autoloading infection there.

    I will review some options before just applying the standard approaches I would use, since I cannot provide steps when I myself am not sure of the outcomes. The system has no security software I can see - did you recently uninstall that?

    While I review the tools we can use safely here (and I would suggest not running ComboFix any more now) you can start repairs by going to Add/Remove Programs and uninstalling this undesirable BHO, if it provides the option:

    ConnectionServices
  • edited April 2008
    C: is Fixed (FAT32) - 24.96 GiB total, 0.44 GiB free.
    D: is Fixed (FAT32) - 30.87 GiB total, 1.48 GiB free.
    E: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - ST360021A - 55.9 GiB - 2 partitions
    \PARTITION0 (bootable) - Unknown - 25.01 GiB - C:
    \PARTITION1 - Расшир. Win95/98 c расшир. IRQ13 - 30.89 GiB - D:

    The root drive for this XP install there is nearly maxed out on space, to a point where you will not be able to do common tasks that require temp space while operating. This would include installing the missing antivirus/security software, since it needs to be installed to the root drive to function properly. Not a promising arrangement. What is the D drive used for primarily?
  • edited April 2008
    I am using C drive for Windows and Program Files, and D for storing data, films, music, distributive etc. Also, I installed Apache and MySQL on D drive, because of server files and databases that are important for me. Thus I can almost easily just format C drive and re-install Windows with all my important data saved on D drive.

    Dennis.
  • edited April 2008
    Leaves room for torrent software, but little for security. I overlooked this earlier:
    I hope those errors and messages are common and could be easily recognized by professional

    :smiles: If we need one of those fellows I will surely see if one is available.

    Given the MS core system default setups if we stay away from repair scans that might target the wrong items we should be okay, and we can use Russian sourced scans as well to be sure here. The ComboFix scan created it's own ERDNT backup if needed, but I admit I cannot guarantee some language glitch might leave you to call upon that at some point.

    Go here and download Flash_Disinfector.exe and save it to your desktop.

    Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

    The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well, and leave them installed for the remainder of all repairs here.


    REGEDIT4
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26c2f2e-a302-11dc-b47b-0030840fe6e7}]
    

    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.


    Download The Avenger by Swandog from here and save it to your Desktop.

    Disconnect from net access, close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

    Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

    Files to delete:
    C:\WINDOWS\system32\avpo0.dll
    C:\WINDOWS\system32\amvo1.dll
    C:\pa39xth.cmd
    C:\WINDOWS\system32\amvo0.dll
    C:\WINDOWS\system32\amvo.exe
    C:\mvxm.cmd
    C:\gjn2pjlw.exe
    C:\n2de.cmd
    C:\oufddh.exe
    C:\gumkrhf.bat
    C:\0hct8ybw.bat
    C:\ntde1ect.com
    C:\x.com
    C:\d.com
    Folders to delete:
    C:\Program Files\ConnectionServices
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}
    


    Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt. You may also get "missing file" errors on reboot, but we will address these after as well.


    Then reconnect to net access and Download Dr.Web CureIt! from here to your Desktop.

    When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts)

    Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.

    Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen. Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.

    When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.

    Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.

    Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup wait for the scan to finish).


    Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Extra Log, uncheck all the boxes.

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

    Post back the that log along with the CureIt log and the avenger.txt log please.
  • VekaVeka Finland
    edited April 2008
    This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

    If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

    If you are not the user who started this thread, you must start your own Thread instead :)
Sign In or Register to comment.