Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] ntos.exe problem, part 2

Started by Dmitrio , Apr 24 2008 01:56 AM

  • This topic is locked This topic is locked
2 replies to this topic

#1 Dmitrio

Dmitrio

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 24 April 2008 - 01:56 AM

Hi

Sorry for a delay, but Internet was unavailable for me for some time. I've run SDFix and ComboFix.
Here's the logs.

Also, please, advice some free spyware scanner, because COMODO BOClean is not doing a very good job.



SDFix

SDFix: Version 1.171
Run by Dimkin on 17.04.2008 at 00:03

Microsoft Windows XP ['_абЁп 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 00:13:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????wd??w????????\???\??????????????w-??w\???\??????? ?`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Miranda IM\\miranda32.exe"="C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"D:\\#Install\\_development\\+monitors\\DBGVIEW_forNT\\DBWIN32.EXE"="D:\\#Install\\_development\\+monitors\\DBGVIEW_forNT\\DBWIN32.EXE:*:Enabled:DBWin32 - Debug ouput capture utility"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 8 Apr 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"

Finished!







COMBOFIX log



ComboFix 08-04-15.2 - Dimkin 2008-04-17 0:24:47.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.165 [GMT 3:00]
Running from: C:\Documents and Settings\Dimkin\Рабочий стол\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-17 00:15 . 2008-04-17 00:15 <DIR> d-------- C:\Reports
2008-04-17 00:00 . 2008-04-17 00:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-16 23:53 . 2008-04-15 11:39 <DIR> d-------- C:\SDFix
2008-04-10 08:52 . 2008-04-10 08:52 <DIR> d-------- C:\Documents and Settings\Dimkin\JaBack7-Backup
2008-04-07 21:45 . 2008-04-07 21:45 <DIR> d-------- C:\Program Files\JaBack8
2008-04-07 21:37 . 2008-04-07 21:37 <DIR> d-------- C:\Program Files\Karen's Power Tools
2008-04-07 21:36 . 2008-04-07 21:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Karen's Power Tools
2008-04-07 20:57 . 2008-04-07 20:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\LightScribe
2008-04-07 19:52 . 2008-04-07 19:52 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-04-02 13:46 . 2004-06-10 17:31 135,168 -ra------ C:\WINDOWS\UNDPX2A.exe
2008-04-02 13:46 . 2004-06-10 17:34 53,693 -ra------ C:\WINDOWS\UNDPX2A.sys
2008-04-02 13:46 . 2004-06-10 02:42 15,429 -ra------ C:\WINDOWS\system32\drivers\Sacm2A.sys
2008-03-31 23:15 . 2008-03-31 23:15 <DIR> d-------- C:\Program Files\AClient
2008-03-31 23:08 . 2008-03-31 23:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2008-03-31 22:52 . 2008-03-31 22:52 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-31 22:44 . 2008-03-31 22:44 <DIR> d-------- C:\My InstallShield 10.5 Projects
2008-03-31 22:42 . 2008-03-31 22:42 <DIR> d-------- C:\Program Files\InstallShield 10.5
2008-03-31 22:42 . 2004-08-09 06:04 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-03-26 19:14 . 2008-03-26 22:41 140,186,218 --a------ C:\Zerg_Reveal_FINAL_EnglishUS_XVid.avi
2008-03-17 17:39 . 2008-03-17 17:39 475,136 --a------ C:\WINDOWS\boinc.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 16:07 85,752 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-03-17 18:19 23,800 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-17 18:19 139,008 ----a-w C:\WINDOWS\system32\guard32.dll
2005-05-12 22:22 367 ----a-w C:\Program Files\INSTALL.LOG
2003-12-18 08:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 04:46 10,960 ----a-w C:\Program Files\EULA.txt
1999-03-15 15:00 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1236D836-E9BA-4175-894F-2072A14D5A26}]
2008-03-05 18:19 2465792 --a------ C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840}"= "C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll" [2008-03-05 18:19 2465792]

[HKEY_CLASSES_ROOT\clsid\{3affd7f7-fd3d-4c9d-8f83-03296a1a8840}]
[HKEY_CLASSES_ROOT\TBSB00196.TBSB00196.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00196.TBSB00196]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840}"= C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll [2008-03-05 18:19 2465792]

[HKEY_CLASSES_ROOT\clsid\{3affd7f7-fd3d-4c9d-8f83-03296a1a8840}]
[HKEY_CLASSES_ROOT\TBSB00196.TBSB00196.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00196.TBSB00196]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 13:04 15360]
"Download Master"="C:\Program Files\Download Master\dmaster.exe" [2008-01-25 14:42 3280896]
"Executor"="C:\Program Files\Executor\executor.exe" [2007-12-22 11:11 1000960]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 17:59 2289664]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2007-05-13 17:57 5308416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16 5562368]
"nwiz"="nwiz.exe" [2005-04-01 16:16 1495040 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16 86016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 11:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 01:00 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-05 00:14 77824]
"RivaTuner"="C:\Program Files\RivaTuner v2.0 RC 15.7\RivaTuner.exe" [2005-09-09 09:25 2195456]
"TrafficCompressor"="C:\Program Files\TrafficCompressor\TCompres.exe" [2007-01-05 12:27 1511424]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 09:29 579584]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49 338432]
"VEngine"="C:\Program Files\Comodo\VEngine\VEngine.exe" [2007-10-19 22:07 315136]
"SafeSex_Safesex"="C:\Program Files\SafeSex\Safesex.exe" [2002-12-21 02:59 26624]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-17 21:08 1503488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 13:04 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 03:01 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"D:\\#Install\\_development\\+monitors\\DBGVIEW_forNT\\DBWIN32.EXE"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-30 19:07]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-17 21:19]
R2 InterBaseGuardian;InterBase Guardian;C:\PROGRA~1\FIREBIRD\Bin\ibguard.exe [2001-08-08 15:43]
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe [2000-06-08 12:15]
R2 nnCron;nnCron;C:\Program Files\nnCron\nncron.exe [2006-03-21 17:48]
R2 nxsIO32;NextSensor Kernel I/O Driver;C:\WINDOWS\System32\DRIVERS\nxsIO32.sys [2007-09-29 15:53]
R3 InterBaseServer;InterBase Server;C:\PROGRA~1\FIREBIRD\Bin\ibserver.exe [2001-08-08 15:43]
S2 DbgMsg;Debug Message;C:\WINDOWS\System32\Drivers\DbgMsg.sys []
S3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys [2004-04-14 08:52]
S3 S3SAVAGE4M;S3SAVAGE4M;C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 20:50]
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-12-22 22:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dddde60-094a-11dd-af2a-001cea2c4671}]
\shell\explore\Command - boot.exe
\shell\open\Command - boot.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 00:32:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????wd??w????????\???\??????????????w-??w\???\???????p?a??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Executor\hookwinr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGUPSVC.EXE
C:\PROGRAM FILES\COMODO\CBOCLEAN\BOCORE.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE
C:\PROGRAM FILES\COMODO\FIREWALL\CMDAGENT.EXE
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRAM FILES\FIREBIRD\BIN\IBGUARD.EXE
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRAM FILES\MAGICTUNE PREMIUM\MAGICTUNEENGINE.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
C:\PROGRAM FILES\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICE.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\nnCron\nnguard.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\UniChat\unichat.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\wscntfy.exe
C:projects\www.worldcommunitygrid.org\wcg_beta4_6.03_windows_intelx86
.
**************************************************************************
.
Completion time: 2008-04-17 0:39:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 21:38:58

25 папок 1,769,619,456 байт свободно
28 Ї ЇRЄ 1,976,139,776 Ў cв бўRЎR¤-R








New HIJACKTHIS log


Logfile of HijackThis v1.99.1
Scan saved at 01:05, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\FIREBIRD\Bin\ibguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\FIREBIRD\Bin\ibserver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\RivaTuner v2.0 RC 15.7\RivaTuner.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\SafeSex\Safesex.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Download Master\dmaster.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\www.worldcommunitygrid.org\wcg_beta4_6.03_windows_intelx86
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about::blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
R3 - URLSearchHook: (no name) - {32962DFA-1380-4AD1-A288-1B7611F08E10} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TBSB00196 - {1236D836-E9BA-4175-894F-2072A14D5A26} - C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll
O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - C:\PROGRA~1\DOWNLO~1\dmiehlp.dll
O2 - BHO: Comodo VerificationEngine Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
O3 - Toolbar: WebMoney Advisor - {3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840} - C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.7\RivaTuner.exe" /T
O4 - HKLM\..\Run: [TrafficCompressor] C:\Program Files\TrafficCompressor\TCompres.exe /Autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [SafeSex_Safesex] "C:\Program Files\SafeSex\Safesex.exe" /PROFILE=Safesex
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Download Master] C:\Program Files\Download Master\dmaster.exe -autorun
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Ярлык для unichat.lnk = C:\Program Files\UniChat\unichat.exe
O4 - Startup: World Community Grid - BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Karen's Replicator.lnk = C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:\Program Files\Download Master\dmieall.htm
O8 - Extra context menu item: Закачать при помощи Download Master - C:\Program Files\Download Master\dmie.htm
O9 - Extra button: WebMoney Advisor - {3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840} - C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll
O9 - Extra 'Tools' menuitem: WebMoney Advisor - {3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840} - C:\Program Files\WebMoney Advisor\tbu02037\wmadvisor.dll
O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe
O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\trafficcompressor\tcomplsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\trafficcompressor\tcomplsp.dll
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\FIREBIRD\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\FIREBIRD\Bin\ibserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Служба сетевого DDE (NetDDE) - Корпорация Майкрософт - C:\WINDOWS\system32\netdde.exe
O23 - Service: Диспетчер сетевого DDE (NetDDEdsdm) - Корпорация Майкрософт - C:\WINDOWS\system32\netdde.exe
O23 - Service: nnCron - nnSoft - C:\Program Files\nnCron\nncron.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Корпорация Майкрософт - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe

    Advertisements

Register to Remove

#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 25 April 2008 - 07:12 AM

Hi

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#3 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 02 May 2008 - 02:12 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·