Skip to main content

My Computer Is Infected

Comments

52 comments

  • Customer

    Download SmitfraudFix (by S!Ri) to your Desktop.

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

     

     

    ______________________________

     

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press Enter

     

     

    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

     

     

    IMPORTANT: Do NOT run any other options until you are asked to do so!

     

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user.

     

    Please post:

    -C:\rapport.txt

    -a fresh hjt log

    0
  • Customer

    Hi Blade81,

     

    When I run smitfraudfix.cmd is appear message - pricess.exe is missing. And then the program is close. ????

     

    Nato

    0
  • Customer

    Hi

     

    Turn Nod32 off temporarily and then download & run Smitfraudfix again. Nod may detect process.exe as bad and then delete it -> Smitfraudfix doesn't work.

    0
  • Customer

    Did you extract those files first to desktop as instructed or did you try to run Smitfraudfix straight from zipped file?

    0
  • Customer

    Hi Blade81,

     

    Nothing different. I thing that first time Nod32 is delite process.exe / I gave Cancel /.After this Restart - tutn off Nod 32 - Download again Smitfraudfix - Pun - Ped screen - Message again - Process.exe is missing.

     

    Nato

    0
  • Customer

    Is that appearing folder SmitfraudFix? You don't need to move those files off the folder. Just do unzipping and after that you should have folder named SmitfraudFix on your desktop. Open the folder and there you should find all the right files. Just run Smitfraudfix.cmd there.

    0
  • Customer

    Hi

    I unzip file, on desktop appear folder, from folder move files to desktop and then on desktop run smitfraudfix.cmd.

    Nod32 say that delete process, exe

    Nato

    0
  • Customer

    Hi

    At the moment I did right this. Run this file from folder without moving, but again red screen in the program and the same message.

     

    Nato

    0
  • Customer

    Hi

    May be I have problem with mising file process.exe. But I have created Image file from disc C. May I use him?

     

    Nato

    0
  • Customer

    Hi,

    From Zip file can not unzip file process.exe. In the same folder on Desktop this file miss. Without runing Nod32.

     

    Nato

    0
  • Customer

    Hi,

    I feel myself lake fool. I many a time try your instructions.

    1.Shutdown NOD32 !!!!!!!!!!!!!!

    2.Download Smitfraudfix.zip

    3.Unzip Smitfraudfix.zip

    4.From folder Smitfraudfix on Desktop run smitfraudfix.cmd

    5.In DOS red windows from program Smitfraudfix v 2.235 - mesage:Process exe is missing.

    I think that process exe can not be unziped from zip file. Something wrong have in zip file!?

    I try unzip with Norton Comander, but without different effect.

     

    In the red window wrote:

     

    SmitFraudFix v2.235

     

    Fichier Process.exe absent !

    Dezippez la totalitÐ’ de l'archive dans un dossier.

     

    Process.exe file missing !

    Unzip all the archive in a folder.

     

    Press any key to continue . . .

     

    Nato

    0
  • Customer

    Hi

     

    As I told you in previous post you need to shutdown Nod before downloading Smitfraudfix.zip. If you don't shut Nod down and begin downloading the zip packet Nod will check it and delete process.exe before you even notice it.

    0
  • Customer

    Hi

     

    I uploaded file for you. It can be found here. Please check that Nod's IMON protection is turned off before downloading.

    0
  • Customer

    In the red window wrote:

     

    SmitFraudFix v2.235

     

    Fichier Process.exe absent !

    Dezippez la totalitÐ’ de l'archive dans un dossier.

     

    Process.exe file missing !

    Unzip all the archive in a folder.

     

    Press any key to continue . . .

    0
  • Customer

    Hi,

    I can not download this file from that site. Can you send me the file whit Skype or ICQ?

     

    Nato

    0
  • Customer

    Hi

     

    Since it seems you can't download the file it's better we'll try to remove infection manually.

     

     

     

    Downloading needed applications

    -------------------------------

     

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.

    http://www.ewido.net/en/download/


    • Install AVG Anti-Spyware by double clicking the installer.


    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.


    • On the main screen under Your Computer's security.

      • Click on Change state next to Resident shield. It should now change to inactive.


      • Click on Change state next to Automatic updates. It should now change to inactive.


      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)


      • Wait until you see the Update succesfull message.



      [*]Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.

      [*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.



    If you are having problems with the updater, you can use this link to manually update ewido.

    AVG Anti-Spyware manual updates.

    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.

     

     

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run ATF yet. Will do it a bit later.

     

     

     

     

    Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.

    To disable AdWatch:

     

    Open AdAware SE.

    Go to AdWatch User Interface.

    Go to Tools and Preferences.

    At the bottom of the screen you will see 2 options Active and Automatic.

    Active: This will turn Ad-Watch On\Off without closing it

    Automatic: Suspicious activity will be blocked automatically

    Uncheck both options. You can enable these after resolving your problem.

     

     

     

     

    Start hjt, click do a system scan only, check:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    O22 - SharedTaskScheduler: bund - {27882a9f-8937-4ae4-87ab-ed669c8b6d7a} - (no file)

    Close browsers & other windows. Then click fix checked.

     

     

     

    Running temp cleaner & AVG Anti-Spyware

    ---------------------------------------

     

     

     

    Double-click ATF Cleaner.exe to open it

     

    Under Main choose:

    Windows Temp

    Current User Temp

    All Users Temp

    Cookies

    Temporary Internet Files

    Prefetch

    Java Cache

    *The other boxes are optional*

    Then click the Empty Selected button.

     

    If you use Firefox:

    Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

     

    If you use Opera:

    Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

     

    Click Exit on the Main menu to close the program.

     

     

     

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.


    • Click on Scanner on the toolbar.


    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.


        [*]Under How to scan?

        • All checkboxes should be ticked.


        [*]Under Possibly unwanted software:

        • All checkboxes should be ticked.


        [*]Under Reports:

        • Unselect Automatically generate report after every scan and uncheck Only if threats were found.


        [*]Under What to scan?

        • Select Scan every file.



      [*]Click on the Scan tab.

      [*]Click on Complete System Scan to start the scan process.

      [*]Let the program scan the machine.

      [*]When the scan has finished, follow the instructions below.

      IMPORTANT : Don't click on the

      Save Scan Report

      button before you did hit the

      Apply all Actions

      button.


      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)


      • At the bottom of the window click on the Apply all Actions button. (3)




      [*]When done, click the Save Scan Report button. (4)


      • Click the Save Report as button.


      • Save the report to your Desktop.



      [*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.



    Reboot.

     

    Post

    -AVG Anti-Spyware log

    -a fresh HJT log.

    0
  • Customer

    Hi,

     

    1.Sory,I make mistake.I am very guilty.Sory again, but I checked Clean instead Quarantine

    2.I fix your recommend files, but I saw that they are still here

    3. I think that my VIRUS is still here too.

     

     

    -AVG Anti-Spyware log

    -a fresh HJT log.

     

    ---------------------------------------------------------

    AVG Anti-Spyware - Scan Report

    ---------------------------------------------------------

     

    + Created at: 19:48:34 04.10.2007 г.

     

    + Scan result:

     

     

     

    C:\Documents and Settings\RUSSE\Cookies\russe@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.

     

     

    ::Report end

     

     

     

     

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 21:19:25, on 04.10.2007 г.

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    C:\Program Files\Eset\nod32krn.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Eset\nod32kui.exe

    C:\Program Files\Datecs\FlexType 2K\FType2K.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

    C:\Program Files\Opera\Opera.exe

    C:\Documents and Settings\RUSSE\Desktop\HiJackThis\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

    O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

    O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [iETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [iETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')

    O4 - Global Startup: FlexType 2K.lnk = C:\Program Files\Datecs\FlexType 2K\FType2K.exe

    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .avi: C:\Program Files\Opera\PLUGINS\NPFgc2.dll

    O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O12 - Plugin for .php: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O12 - Plugin for .zip: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6E58FED7-F166-4CE6-A3A5-7E4439D50FE0}: NameServer = 212.25.58.2 212.25.58.8

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

     

    --

    End of file - 6235 bytes

    0
  • Customer

    Hi

     

    Did you turn Ad-Watch off before fixing those entries with HJT? Please try to fix them again (having Ad-Watch disabled).

     

     

    Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.



    1. Close all applications and windows.



    2. Double-click on dss.exe to run it, and follow the prompts.


    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized


    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply



    0
  • Customer

    Hi

     

    Show hidden files

    -----------------

    * Click Start.

    * Open My Computer.

    * Select the Tools menu and click Folder Options.

    * Select the View Tab.

    * Under the Hidden files and folders heading select Show hidden files and folders.

    * Uncheck the Hide protected operating system files (recommended) option.

    * Click Yes to confirm.

    * Click OK.

     

     

    Delete following file if found:

    C:\Documents and settings\RUSSE\Local settings\Temp\win13F.tmp.exe

     

    Then I want also you to run ComboFix.

     

     

    1. Download this file -

    combofix.exe

    2. Double click combofix.exe & follow the prompts.

    3. When finished, it shall produce a log for you. Post that log in your

    next reply with a fresh hjt log.

     

    Note:

    Do not mouseclick combofix's window whilst it's running. That may cause

    it to stall

    0
  • Customer

    Hi,

     

    Yes, Ad-Watch was turn off at the time when fix HJT and scaning AVG Anti-Spyware.

     

    main.txt

     

    Deckard's System Scanner v20070905.67

    Run by RUSSE on 2007-10-04 23:01:14

    Computer is in Normal Mode.

    --------------------------------------------------------------------------------

     

    -- System Restore --------------------------------------------------------------

     

    Successfully created a Deckard's System Scanner Restore Point.

     

     

    -- Last 5 Restore Point(s) --

    63: 2007-10-04 20:01:18 UTC - RP141 - Deckard's System Scanner Restore Point

    62: 2007-10-04 09:39:52 UTC - RP140 - System Checkpoint

    61: 2007-10-02 12:37:21 UTC - RP139 - System Checkpoint

    60: 2007-10-01 12:05:21 UTC - RP138 - System Checkpoint

    59: 2007-09-30 11:29:16 UTC - RP137 - System Checkpoint

     

     

    -- First Restore Point --

    1: 2007-07-25 08:04:05 UTC - RP79 - Installed USB 2.0 PC CAMERA

     

     

    Backed up registry hives.

    Performed disk cleanup.

     

    Total Physical Memory: 448 MiB (512 MiB recommended).

     

     

    -- HijackThis (run as RUSSE.exe) -----------------------------------------------

     

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 23:01:41, on 04.10.2007 г.

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    C:\Program Files\Eset\nod32krn.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Datecs\FlexType 2K\FType2K.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Documents and Settings\RUSSE\Desktop\dss.exe

    C:\DOCUME~1\RUSSE\Desktop\HIJACK~1\RUSSE.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

    O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

    O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [iETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [iETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')

    O4 - Global Startup: FlexType 2K.lnk = C:\Program Files\Datecs\FlexType 2K\FType2K.exe

    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .avi: C:\Program Files\Opera\PLUGINS\NPFgc2.dll

    O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O12 - Plugin for .php: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O12 - Plugin for .zip: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

     

    --

    End of file - 6010 bytes

     

    -- HijackThis Fixed Entries (C:\DOCUME~1\RUSSE\Desktop\HIJACK~1\backups\) ------

     

    backup-20071004-192004-659 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    backup-20071004-192004-691 O22 - SharedTaskScheduler: bund - {27882a9f-8937-4ae4-87ab-ed669c8b6d7a} - (no file)

    backup-20071004-192004-869 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    backup-20071004-192004-879 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    backup-20071004-192004-962 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    backup-20071004-223309-453 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    backup-20071004-223309-639 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    backup-20071004-223309-775 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    backup-20071004-223309-995 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

     

    -- File Associations -----------------------------------------------------------

     

    All associations okay.

     

     

    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

     

    R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

    R3 SNP2STD (USB2.0 PC Camera (SNP2STD)) - c:\windows\system32\drivers\snp2sxp.sys <Not Verified; ; USB2.0 PC Camera driver>

     

     

    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

     

    S3 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "c:\program files\tuneup utilities 2006\winstylerthemesvc.exe" <Not Verified; TuneUp Software GmbH; TuneUp Utilities>

     

     

    -- Device Manager: Disabled ----------------------------------------------------

     

    No disabled devices found.

     

     

    -- Scheduled Tasks -------------------------------------------------------------

     

    2007-09-28 17:15:43 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job

     

     

    -- Files created between 2007-09-04 and 2007-10-04 -----------------------------

     

    2007-10-04 18:47:59 0 d-------- C:\Documents and Settings\RUSSE\Application Data\Grisoft

    2007-10-04 18:39:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

    2007-09-28 12:49:41 0 d-------- C:\Program Files\Virtual Hottie 2

    2007-09-28 12:43:42 0 d-------- C:\Program Files\Common Files\GTK

    2007-09-28 12:43:36 233472 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>

    2007-09-25 18:18:58 0 d-------- C:\WINDOWS\%DownloadedProgramFiles%

    2007-09-24 23:53:36 0 d-------- C:\Program Files\ACD Systems

    2007-09-23 12:00:28 0 dr-h----- C:\Documents and Settings\RUSSE\Recent

    2007-09-22 18:31:27 0 d-------- C:\Program Files\Common Files\NSV

    2007-09-21 20:55:57 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll

    2007-09-21 20:55:57 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll

    2007-09-21 20:55:57 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

     

     

    -- Find3M Report ---------------------------------------------------------------

     

    2007-10-04 22:57:07 0 d-------- C:\Program Files\FlashGet

    2007-10-03 20:57:14 0 d-------- C:\Documents and Settings\RUSSE\Application Data\Skype

    2007-10-02 19:39:12 0 d-------- C:\Documents and Settings\RUSSE\Application Data\uTorrent

    2007-09-28 12:43:42 0 d-------- C:\Program Files\Common Files

    2007-09-26 11:36:10 0 d-------- C:\Documents and Settings\RUSSE\Application Data\Lavasoft

    2007-09-26 11:33:37 0 d-------- C:\Program Files\Lavasoft

    2007-09-25 19:59:51 0 d-------- C:\Program Files\Online Services

    2007-09-24 23:53:46 0 d-------- C:\Program Files\Common Files\ACD Systems

    2007-09-24 22:29:41 0 d-------- C:\Program Files\uTorrent

    2007-09-24 19:20:28 0 d-------- C:\Documents and Settings\RUSSE\Application Data\ACD Systems

    2007-09-21 20:56:01 0 d-------- C:\Documents and Settings\RUSSE\Application Data\Simply Super Software

    2007-09-20 22:41:23 0 d-------- C:\Documents and Settings\RUSSE\Application Data\Adobe

    2007-09-20 19:17:34 0 d-------- C:\Program Files\Java

    2007-09-13 21:36:00 0 d-------- C:\Program Files\VirtualDub-... 1.7.1

    2007-08-21 21:49:18 0 d-------- C:\Program Files\Winamp

    2007-08-21 19:40:40 0 d-------- C:\Program Files\Common Files\snp2std

    2007-08-21 19:40:36 0 d--h----- C:\Program Files\InstallShield Installation Information

     

     

    -- Registry Dump ---------------------------------------------------------------

     

    *Note* empty entries & legit default entries are not shown

     

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [16.08.2006 Ј. 10:35]

    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [23.03.2007 Ј. 14:43]

     

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [25.05.2005 Ј. 12:12]

     

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

    "IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

     

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

    FlexType 2K.lnk - C:\Program Files\Datecs\FlexType 2K\FType2K.exe [15.3.2007 Ј. 20:10:13]

     

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

    "DisableRegistryTools"=0 (0x0)

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]

    DevDetect.exe -autorun

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]

    C:\PROGRA~1\FlashGet\Flashget.exe /min

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

    "C:\Program Files\ICQLite\ICQLite.exe" -minimize

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    C:\Program Files\Winamp\winampa.exe

     

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

    UxTuneUp

     

    *Newly Created Service* - AVGASCLN

     

     

     

    -- End of Deckard's System Scanner: finished at 2007-10-04 23:02:12 ------------

     

     

     

    extra.txt

     

    Deckard's System Scanner v20070905.67

    Extra logfile - please post this as an attachment with your post.

    --------------------------------------------------------------------------------

     

    -- System Information ----------------------------------------------------------

     

    Microsoft Windows XP Professional (build 2600) SP 2.0

    Architecture: X86; Language: English

     

    CPU 0: AMD Sempron Processor 3000+

    Percentage of Memory in Use: 57%

    Physical Memory (total/avail): 447.23 MiB / 191.54 MiB

    Pagefile Memory (total/avail): 1055.73 MiB / 817.35 MiB

    Virtual Memory (total/avail): 2047.88 MiB / 1979.35 MiB

     

    A: is Removable (No Media)

    C: is Fixed (NTFS) - 11.72 GiB total, 3.96 GiB free.

    D: is Fixed (NTFS) - 95.7 GiB total, 56.82 GiB free.

    E: is Fixed (NTFS) - 78.88 GiB total, 54.47 GiB free.

    F: is CDROM (No Media)

     

    \\.\PHYSICALDRIVE0 - HDT722520DLA380 - 186.31 GiB - 3 partitions

    \PARTITION0 (bootable) - Installable File System - 11.72 GiB - C:

    \PARTITION1 - Extended w/Extended Int 13 - 174.59 GiB - D: - E:

     

     

     

    -- Security Center -------------------------------------------------------------

     

    AUOptions is disabled.

    Windows Internal Firewall is enabled.

     

    FirstRunDisabled is set.

    AntiVirusDisableNotify is set.

    FirewallDisableNotify is set.

    UpdatesDisableNotify is set.

     

    AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

     

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

     

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    "C:\\DOCUME~1\\RUSSE\\LOCALS~1\\Temp\\win13F.tmp.exe"="C:\\DOCUME~1\\RUSSE\\LOCALS~1\\Temp\\win13F.tmp.exe:*:Enabled:win13F.tmp"

    "C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"

    "C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"

    "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"

    "C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Disabled:Opera Internet Browser"

    "C:\\Program Files\\Networx-BG\\Helper\\winvnc.exe"="C:\\Program Files\\Networx-BG\\Helper\\winvnc.exe:192.168.11.0/255.255.255.0:Enabled:Networx-BG Helper VNC"

    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

     

     

    -- Environment Variables -------------------------------------------------------

     

    ALLUSERSPROFILE=C:\Documents and Settings\All Users

    APPDATA=C:\Documents and Settings\RUSSE\Application Data

    CLASSPATH=C:\Program Files\Java\j2re1.4.2_04\lib\ext\QTJava.zip

    CLIENTNAME=Console

    CommonProgramFiles=C:\Program Files\Common Files

    COMPUTERNAME=VASKO

    ComSpec=C:\WINDOWS\system32\cmd.exe

    FP_NO_HOST_CHECK=NO

    HOMEDRIVE=C:

    HOMEPATH=\Documents and Settings\RUSSE

    LOGONSERVER=\\VASKO

    NUMBER_OF_PROCESSORS=1

    OS=Windows_NT

    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\

    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

    PROCESSOR_ARCHITECTURE=x86

    PROCESSOR_IDENTIFIER=x86 Family 15 Model 79 Stepping 2, AuthenticAMD

    PROCESSOR_LEVEL=15

    PROCESSOR_REVISION=4f02

    ProgramFiles=C:\Program Files

    PROMPT=$P$G

    QTJAVA=C:\Program Files\Java\j2re1.4.2_04\lib\ext\QTJava.zip

    SESSIONNAME=Console

    SystemDrive=C:

    SystemRoot=C:\WINDOWS

    TEMP=C:\DOCUME~1\RUSSE\LOCALS~1\Temp

    TMP=C:\DOCUME~1\RUSSE\LOCALS~1\Temp

    USERDOMAIN=VASKO

    USERNAME=RUSSE

    USERPROFILE=C:\Documents and Settings\RUSSE

    windir=C:\WINDOWS

    __COMPAT_LAYER=DisableNXShowUI

     

     

    -- User Profiles ---------------------------------------------------------------

     

    RUSSE (admin)

     

     

    -- Add/Remove Programs ---------------------------------------------------------

     

    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

    ACDSee Pro 2 --> MsiExec.exe /I{4AAC95F4-A30E-4EE5-A086-6F79581D0D70}

    Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

    Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

    Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}

    ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63B8997E-EB2D-41D3-984C-C44D6D67A571}\SETUP.EXE" -l0x9

    AVerTV --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8DF56C91-281F-4C15-B954-F45FDC919568} /l1033

    AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe

    BSPlayer --> "C:\Program Files\Webteh\BSplayer\uninstall.exe"

    FlashGet(Jetcar) 1.81 --> C:\PROGRA~1\FlashGet\_UNWISE.EXE

    FlexType 2K --> C:\PROGRA~1\Datecs\FLEXTY~1\UNWISE.EXE C:\PROGRA~1\Datecs\FLEXTY~1\INSTALL.LOG

    Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}

    Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"

    Helper --> MsiExec.exe /I{9964DA70-CA9D-48BD-93E6-19F121143958}

    High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

    HijackThis 2.0.2 --> "C:\Documents and Settings\RUSSE\Desktop\HiJackThis\HijackThis.exe" /uninstall

    ICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE

    ICQ Toolbar --> regsvr32 /u /s "C:\Program Files\ICQToolbar\toolbaru.dll"

    Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}

    Java 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}

    K-Lite Codec Pack 3.01 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"

    Microsoft Office XP Professional --> MsiExec.exe /I{90110402-6000-11D3-8CFE-0050048383C9}

    Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

    MV2Player (remove only) --> C:\Program Files\Mv2Player\uninst.exe

    Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

    NOD32 Antivirus System --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL

    NVIDIA Drivers --> C:\WINDOWS\system32\nvunrm.exe UninstallGUI

    Opera --> C:\PROGRA~1\Opera\UnInst\unwise.exe C:\PROGRA~1\Opera\UnInst\Install.log

    Opera Plug-in for FlashGet --> C:\PROGRA~1\Opera\Plugins\FlashGet\UNWISE.EXE C:\PROGRA~1\Opera\Plugins\FlashGet\INSTALL.LOG

    PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall

    QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033

    Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly

    Skypeâ„¢ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}

    Total Commander (Remove or Repair) --> C:\Program Files\TotalCmder\tcuninst.exe

    TuneUp Utilities 2006 --> MsiExec.exe /I{868D7896-99D4-4513-BC62-2B3AD3E24926}

    Ultra Video Converter 2.2.0 --> "C:\Program Files\Ultra Video Converter\unins000.exe"

    Ultra Video Joiner 4.1.0 --> "C:\Program Files\Ultra Video Joiner\unins000.exe"

    Ultra Video Splitter 4.0.4 --> "C:\Program Files\Ultra Video Splitter\unins000.exe"

    USB 2.0 PC CAMERA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\Setup.exe" -l0x9

    Virtual Hottie 2 --> C:\Program Files\Virtual Hottie 2\Default\Q3DUnInst.exe

    Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"

    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

    WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

    µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"

    µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL

     

     

    -- Application Event Log -------------------------------------------------------

     

    Event Record #/Type270 / Error

    Event Submitted/Written: 10/04/2007 04:21:59 PM

    Event ID/Source: 1000 / Application Error

    Event Description:

    Faulting application decoder.exe, version 0.0.0.0, faulting module decoder.exe, version 0.0.0.0, fault address 0x005d9085.

    Processing media-specific event for [decoder.exe!ws!]

     

    Event Record #/Type269 / Error

    Event Submitted/Written: 10/04/2007 04:21:44 PM

    Event ID/Source: 1000 / Application Error

    Event Description:

    Faulting application decoder.exe, version 0.0.0.0, faulting module decoder.exe, version 0.0.0.0, fault address 0x005d9085.

    Processing media-specific event for [decoder.exe!ws!]

     

    Event Record #/Type268 / Error

    Event Submitted/Written: 10/04/2007 04:20:46 PM

    Event ID/Source: 1000 / Application Error

    Event Description:

    Faulting application decoder.exe, version 0.0.0.0, faulting module decoder.exe, version 0.0.0.0, fault address 0x005d9085.

    Processing media-specific event for [decoder.exe!ws!]

     

    Event Record #/Type252 / Warning

    Event Submitted/Written: 09/30/2007 05:33:37 PM

    Event ID/Source: 1001 / MsiInstaller

    Event Description:

    Detection of product '{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}', feature 'Phone' failed during request for component '{57FF4446-590E-4894-AE39-D55928DBDE01}'

     

    Event Record #/Type251 / Warning

    Event Submitted/Written: 09/30/2007 05:33:37 PM

    Event ID/Source: 1004 / MsiInstaller

    Event Description:

    Detection of product '{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}', feature 'Phone', component '{7A702427-1ED2-4768-88B7-F563D4703DDC}' failed. The resource 'HKEY_LOCAL_MACHINE\Software\Classes\{327C8820-8DED-4BD2-A7F6-D07B9DD5698F}\' does not exist.

     

     

     

    -- Security Event Log ----------------------------------------------------------

     

    No Errors/Warnings found.

     

     

    -- System Event Log ------------------------------------------------------------

     

    Event Record #/Type7913 / Error

    Event Submitted/Written: 10/04/2007 08:49:46 PM

    Event ID/Source: 3095 / NETLOGON

    Event Description:

    This computer is configured as a member of a workgroup, not as

    a member of a domain. The Netlogon service does not need to run in this

    configuration.

     

    Event Record #/Type7899 / Error

    Event Submitted/Written: 10/04/2007 05:40:32 PM

    Event ID/Source: 59 / SideBySide

    Event Description:

    Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.

    Reference error message: The operation completed successfully.

    .

     

    Event Record #/Type7898 / Error

    Event Submitted/Written: 10/04/2007 05:40:32 PM

    Event ID/Source: 59 / SideBySide

    Event Description:

    Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.

    Reference error message: The referenced assembly is not installed on your system.

    .

     

    Event Record #/Type7897 / Error

    Event Submitted/Written: 10/04/2007 05:40:32 PM

    Event ID/Source: 32 / SideBySide

    Event Description:

    Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

     

    Event Record #/Type7896 / Error

    Event Submitted/Written: 10/04/2007 05:40:32 PM

    Event ID/Source: 59 / SideBySide

    Event Description:

    Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.

    Reference error message: The operation completed successfully.

    .

     

     

     

    -- End of Deckard's System Scanner: finished at 2007-10-04 23:02:12 ------------

    0
  • Customer

    Hi

     

    The log looks clean but you said before that it looks like the virus is still there. Could you describe the symptoms a bit?

    0
  • Customer

    Hi,

    I maked all. There isn`t win13F.tmt.exe. Here is Combofix.log and Hjt.log.

     

     

    ComboFix 07-10-06.3 - RUSSE 2007-10-06 17:48:46.1 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.178 [GMT 3:00]

    Running from: C:\Documents and Settings\RUSSE\Desktop\ComboFix.exe

    * Created a new restore point

    .

     

    ((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))

    .

     

    2007-10-06 17:47 51,200 --a------ C:\WINDOWS\NirCmd.exe

    2007-10-04 23:01 <DIR> d-------- C:\Deckard

    2007-10-04 18:39 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

    2007-09-28 12:49 <DIR> d-------- C:\Program Files\Virtual Hottie 2

    2007-09-28 12:43 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll

    2007-09-28 12:43 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll

    2007-09-28 12:43 <DIR> d-------- C:\Program Files\Common Files\GTK

    2007-09-25 18:18 <DIR> d-------- C:\WINDOWS\%DownloadedProgramFiles%

    2007-09-25 18:14 23,552 --a------ C:\WINDOWS\system32\normaliz.dll

    2007-09-24 23:53 <DIR> d-------- C:\Program Files\ACD Systems

    2007-09-22 18:31 <DIR> d-------- C:\Program Files\Common Files\NSV

    2007-09-21 20:55 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll

    2007-09-21 20:55 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll

    2007-09-21 20:55 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll

     

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2007-10-06 17:45 --------- d-------- C:\Program Files\FlashGet

    2007-10-05 22:43 --------- d-------- C:\Documents and Settings\RUSSE\Application Data\Skype

    2007-10-05 21:14 --------- d-------- C:\Documents and Settings\RUSSE\Application Data\uTorrent

    2007-10-05 13:18 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

    2007-09-26 11:36 --------- d-------- C:\Documents and Settings\RUSSE\Application Data\Lavasoft

    2007-09-26 11:33 --------- d-------- C:\Program Files\Lavasoft

    2007-09-24 23:53 --------- d-------- C:\Program Files\Common Files\ACD Systems

    2007-09-24 23:53 --------- d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems

    2007-09-24 22:29 --------- d-------- C:\Program Files\uTorrent

    2007-09-24 19:20 --------- d-------- C:\Documents and Settings\RUSSE\Application Data\ACD Systems

    2007-09-21 20:56 --------- d-------- C:\Documents and Settings\RUSSE\Application Data\Simply Super Software

    2007-09-13 21:36 --------- d-------- C:\Program Files\VirtualDub-... 1.7.1

    2007-08-21 21:49 --------- d-------- C:\Program Files\Winamp

    2007-08-21 19:40 --------- d--h----- C:\Program Files\InstallShield Installation Information

    2007-08-21 19:40 --------- d-------- C:\Program Files\Common Files\snp2std

    2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

    2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

    2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

    2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

    2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

    2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

    2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

    .

     

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-16 10:35]

    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-23 14:43]

     

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 12:12]

     

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

    "IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

     

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

    FlexType 2K.lnk - C:\Program Files\Datecs\FlexType 2K\FType2K.exe [2007-03-15 20:10:13]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]

    DevDetect.exe -autorun

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]

    C:\PROGRA~1\FlashGet\Flashget.exe /min

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

    "C:\Program Files\ICQLite\ICQLite.exe" -minimize

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    C:\Program Files\Winamp\winampa.exe

     

    R2 CX23880;AVerMedia, AVerTV Video Capture;C:\WINDOWS\system32\drivers\cx88vid.sys

    R2 CX88XBAR;AVerMedia, AVerTV Crossbar (88x);C:\WINDOWS\system32\drivers\CX88XBAR.sys

    R2 CXTUNE;AVerMedia AVerTV Tuner Service (88x);C:\WINDOWS\system32\drivers\CX88TUNE.sys

    R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs

    R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys

    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS

     

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

    UxTuneUp

     

    *Newly Created Service* - CATCHME

    .

    Contents of the 'Scheduled Tasks' folder

    "2007-10-05 14:15:35 C:\WINDOWS\Tasks\1-Click Maintenance.job"

    .

    **************************************************************************

     

    catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2007-10-06 17:49:48

    Windows 5.1.2600 Service Pack 2 NTFS

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

    .

    Completion time: 2007-10-06 17:50:31

    .

    --- E O F ---

     

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 18:32:14, on 06.10.2007 г.

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    C:\Program Files\Eset\nod32krn.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Datecs\FlexType 2K\FType2K.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\WINDOWS\explorer.exe

    C:\WINDOWS\system32\notepad.exe

    C:\Documents and Settings\RUSSE\Desktop\HiJackThis\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm

    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

    O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll

    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

    O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [iETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [iETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')

    O4 - Global Startup: FlexType 2K.lnk = C:\Program Files\Datecs\FlexType 2K\FType2K.exe

    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .avi: C:\Program Files\Opera\PLUGINS\NPFgc2.dll

    O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O12 - Plugin for .php: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O12 - Plugin for .zip: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

     

    --

    End of file - 5852 bytes

    0
  • Customer

    Hi Blade81,

     

    Nothing changes after my first post.

     

    My Ad-Aware SE Professional still permanently discovers this virus Win32.Trojandownloader.Zlob. In particular after running Internet Explorer. When use Opera I find not any viruses, but when turn on Internet Explorer Ad-Aware shows after scaning that in computer have critical object. I can`t clean manualy from computers registry value : {f06e2abe-3a50-4079-be25-fc100d9eaa25}.For this value take a look in Ad-adwere log below. I cleaned it, but after a time it appears again. So here presence in computers registry and anti spy program. Technicians from our Network company sad me that I have permanent connection whit some surver, but when they try to open this link the page was blank??? I have too problems with my Internet Explorer home page.When I start my browser,the home page misteriously changes.I change it back manually,but before long it changes back again.

     

    I will show you 2 Ad-adware logs who I make for a short time - 5 min. After first /2 critical object / I clean all!!! In second / after 5 min./ you will look Win32.Trojandownloader.Zlob object again / after cleaning/.

     

    Nato

     

    1.

     

     

    Ad-Aware SE Build 1.06r1

    Logfile Created on:07 Октомври 2007 г. 20:04:15

    Using definitions file:SE1R194 01.10.2007

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    References detected during the scan:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    MRU List(TAC index:0):14 total references

    Win32.Trojandownloader.Zlob(TAC index:10):2 total references

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Ad-Aware SE Settings

    ===========================

    Set : Search for negligible risk entries

    Set : Search for low-risk threats

    Set : Safe mode (always request confirmation)

    Set : Scan active processes

    Set : Scan registry

    Set : Deep-scan registry

    Set : Scan my IE Favorites for banned URLs

    Set : Scan my Hosts file

     

    Extended Ad-Aware SE Settings

    ===========================

    Set : Unload recognized processes & modules during scan

    Set : Scan registry for all users instead of current user only

    Set : Automatically check all objects in results lists

    Set : Always try to unload modules before deletion

    Set : During removal, unload Explorer and IE if necessary

    Set : Let Windows remove files in use at next reboot

    Set : Delete quarantined objects after restoring

    Set : Deactivate Ad-Watch during Ad-Aware scans

    Set : Automatically select problematic objects in results lists

    Set : Include basic Ad-Aware settings in log file

    Set : Include additional Ad-Aware settings in log file

    Set : Include reference summary in log file

    Set : Include alternate data stream details in log file

    Set : Show splash screen

    Set : Remember window positions

    Set : Backup current definitions file before updating

    Set : Play sound at scan completion if scan locates critical objects

     

     

    07.10.2007 г. 20:04:15 - Scan started. (Smart mode)

     

    Listing running processes

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    #:1 [smss.exe]

    FilePath : \SystemRoot\System32\

    ProcessID : 440

    ThreadCreationTime : 07.10.2007 г. 16:06:17

    BasePriority : Normal

     

     

    #:2 [csrss.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 504

    ThreadCreationTime : 07.10.2007 г. 16:06:18

    BasePriority : Normal

     

     

    #:3 [winlogon.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 528

    ThreadCreationTime : 07.10.2007 г. 16:06:19

    BasePriority : High

     

     

    #:4 [services.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 572

    ThreadCreationTime : 07.10.2007 г. 16:06:20

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Services and Controller app

    InternalName : services.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : services.exe

     

    #:5 [lsass.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 584

    ThreadCreationTime : 07.10.2007 г. 16:06:20

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : LSA Shell (Export Version)

    InternalName : lsass.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : lsass.exe

     

    #:6 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 732

    ThreadCreationTime : 07.10.2007 г. 16:06:20

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:7 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 788

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:8 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 832

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:9 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 884

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:10 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 936

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:11 [spoolsv.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1260

    ThreadCreationTime : 07.10.2007 г. 16:06:23

    BasePriority : Normal

    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

    ProductVersion : 5.1.2600.2696

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Spooler SubSystem App

    InternalName : spoolsv.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : spoolsv.exe

     

    #:12 [explorer.exe]

    FilePath : C:\WINDOWS\

    ProcessID : 1284

    ThreadCreationTime : 07.10.2007 г. 16:06:23

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Windows Explorer

    InternalName : explorer

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : EXPLORER.EXE

     

    #:13 [guard.exe]

    FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\

    ProcessID : 1436

    ThreadCreationTime : 07.10.2007 г. 16:06:24

    BasePriority : Normal

    FileVersion : 7, 5, 1, 22

    ProductVersion : 7, 5, 1, 22

    ProductName : AVG Anti-Spyware

    CompanyName : GRISOFT s.r.o.

    FileDescription : AVG Anti-Spyware guard

    InternalName : AVG Anti-Spyware guard

    LegalCopyright : Copyright © 2007 GRISOFT s.r.o.

    OriginalFilename : guard.exe

     

    #:14 [nod32krn.exe]

    FilePath : C:\Program Files\Eset\

    ProcessID : 1500

    ThreadCreationTime : 07.10.2007 г. 16:06:25

    BasePriority : Normal

    FileVersion : 2, 70, 32

    ProductVersion : 2, 70, 32

    ProductName : NOD32 Antivirus System

    CompanyName : Eset

    FileDescription : NOD32 Kernel Service

    InternalName : NOD32 Kernel

    LegalCopyright : Copyright © 1992-2005 Eset

    LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset

    OriginalFilename : nod32krn.exe

     

    #:15 [nvsvc32.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1536

    ThreadCreationTime : 07.10.2007 г. 16:06:25

    BasePriority : Normal

    FileVersion : 6.14.10.9148

    ProductVersion : 6.14.10.9148

    ProductName : NVIDIA Driver Helper Service, Version 91.48

    CompanyName : NVIDIA Corporation

    FileDescription : NVIDIA Driver Helper Service, Version 91.48

    InternalName : NVSVC

    LegalCopyright : © NVIDIA Corporation. All rights reserved.

    OriginalFilename : nvsvc32.exe

     

    #:16 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1584

    ThreadCreationTime : 07.10.2007 г. 16:06:26

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:17 [nod32kui.exe]

    FilePath : C:\Program Files\Eset\

    ProcessID : 1684

    ThreadCreationTime : 07.10.2007 г. 16:06:27

    BasePriority : Normal

    FileVersion : 2, 70, 32

    ProductVersion : 2, 70, 32

    ProductName : NOD32 Antivirus System

    CompanyName : Eset

    FileDescription : NOD32 Control Center GUI

    InternalName : NOD32 Control Center GUI

    LegalCopyright : Copyright © 1992-2005 Eset

    LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset

    OriginalFilename : nod32kui.exe

     

    #:18 [ad-watch.exe]

    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\

    ProcessID : 1712

    ThreadCreationTime : 07.10.2007 г. 16:06:28

    BasePriority : High

    FileVersion : 3.1.2.17

    ProductVersion : 3.2

    ProductName : Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Watch System Protector

    InternalName : Ad-Watch.exe

    LegalCopyright : 1999-2004 Team Lavasoft

    OriginalFilename : Ad-Watch.exe

     

    #:19 [ftype2k.exe]

    FilePath : C:\Program Files\Datecs\FlexType 2K\

    ProcessID : 1812

    ThreadCreationTime : 07.10.2007 г. 16:06:30

    BasePriority : Normal

     

     

    #:20 [alg.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 688

    ThreadCreationTime : 07.10.2007 г. 16:06:42

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Application Layer Gateway Service

    InternalName : ALG.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : ALG.exe

     

    #:21 [opera.exe]

    FilePath : C:\Program Files\Opera\

    ProcessID : 1688

    ThreadCreationTime : 07.10.2007 г. 16:07:15

    BasePriority : Normal

    FileVersion : 8643

    ProductVersion : 9.10

    ProductName : Opera Internet Browser

    CompanyName : Opera Software

    FileDescription : Opera Internet Browser

    InternalName : Opera

    LegalCopyright : Copyright © Opera Software 1995-2006

    OriginalFilename : Opera.exe

     

    #:22 [diction.exe]

    FilePath : C:\Program Files\SADictionary\

    ProcessID : 3712

    ThreadCreationTime : 07.10.2007 г. 16:13:54

    BasePriority : Normal

    FileVersion : 6.2.0.0

    ProductVersion : 6.2.0.0

    ProductName : SA Dictionary 2005 T2

    CompanyName : Stefan Angelov

    FileDescription : SA Dictionary Application File

    LegalCopyright : 2005

    OriginalFilename : Diction.exe

     

    #:23 [ad-aware.exe]

    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\

    ProcessID : 1680

    ThreadCreationTime : 07.10.2007 г. 17:04:03

    BasePriority : Normal

    FileVersion : 6.2.0.238

    ProductVersion : SE 106

    ProductName : Lavasoft Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Aware SE Core application

    InternalName : Ad-Aware.exe

    LegalCopyright : Copyright © Lavasoft AB Sweden

    OriginalFilename : Ad-Aware.exe

    Comments : All Rights Reserved

     

    Memory scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 0

     

     

    Started registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Registry Scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 0

     

     

    Started deep registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Deep registry scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 0

     

    Win32.Trojandownloader.Zlob Object Recognized!

    Type : RegValue

    Data :

    TAC Rating : 10

    Category : Malware

    Comment :

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\internet explorer\toolbar\Webbrowser

    Value : {f06e2abe-3a50-4079-be25-fc100d9eaa25}

     

     

    Started Tracking Cookie scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

     

    Tracking cookie scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

     

     

    Deep scanning and examining files...

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Disk Scan Result for C:\WINDOWS

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

    Disk Scan Result for C:\WINDOWS\system32

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

    Disk Scan Result for C:\DOCUME~1\RUSSE\LOCALS~1\Temp\

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

     

    Scanning Hosts file......

    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Hosts file scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    1 entries scanned.

    New critical objects:0

    Objects found so far: 1

     

     

     

    MRU List Object Recognized!

    Location: : C:\Documents and Settings\RUSSE\recent

    Description : list of recently opened documents

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct3d

     

     

    MRU List Object Recognized!

    Location: : software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct3d

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct X

     

     

    MRU List Object Recognized!

    Location: : software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct X

     

     

    MRU List Object Recognized!

    Location: : software\microsoft\directdraw\mostrecentapplication

    Description : most recent application to use microsoft directdraw

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\directinput\mostrecentapplication

    Description : most recent application to use microsoft directinput

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\directinput\mostrecentapplication

    Description : most recent application to use microsoft directinput

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\internet explorer\typedurls

    Description : list of recently entered addresses in microsoft internet explorer

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

    Description : list of recent programs opened

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

    Description : list of recently saved files, stored according to file extension

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs

    Description : list of recent documents opened

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\nico mak computing\winzip\filemenu

    Description : winzip recently used archives

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\windows media\wmsdk\general

    Description : windows media sdk

     

     

     

    Performing conditional scans...

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Win32.Trojandownloader.Zlob Object Recognized!

    Type : Regkey

    Data :

    TAC Rating : 10

    Category : Malware

    Comment :

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\rfc1156agent

     

    Conditional scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 1

    Objects found so far: 16

     

    20:05:14 Scan Complete

     

    Summary Of This Scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Total scanning time:00:00:58.500

    Objects scanned:102594

    Objects identified:2

    Objects ignored:0

    New critical objects:2

     

     

     

     

    2.

     

     

    Ad-Aware SE Build 1.06r1

    Logfile Created on:07 Октомври 2007 г. 20:08:51

    Using definitions file:SE1R194 01.10.2007

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    References detected during the scan:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    MRU List(TAC index:0):2 total references

    Win32.Trojandownloader.Zlob(TAC index:10):1 total references

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Ad-Aware SE Settings

    ===========================

    Set : Search for negligible risk entries

    Set : Search for low-risk threats

    Set : Safe mode (always request confirmation)

    Set : Scan active processes

    Set : Scan registry

    Set : Deep-scan registry

    Set : Scan my IE Favorites for banned URLs

    Set : Scan my Hosts file

     

    Extended Ad-Aware SE Settings

    ===========================

    Set : Unload recognized processes & modules during scan

    Set : Scan registry for all users instead of current user only

    Set : Automatically check all objects in results lists

    Set : Always try to unload modules before deletion

    Set : During removal, unload Explorer and IE if necessary

    Set : Let Windows remove files in use at next reboot

    Set : Delete quarantined objects after restoring

    Set : Deactivate Ad-Watch during Ad-Aware scans

    Set : Automatically select problematic objects in results lists

    Set : Include basic Ad-Aware settings in log file

    Set : Include additional Ad-Aware settings in log file

    Set : Include reference summary in log file

    Set : Include alternate data stream details in log file

    Set : Show splash screen

    Set : Remember window positions

    Set : Backup current definitions file before updating

    Set : Play sound at scan completion if scan locates critical objects

     

     

    07.10.2007 г. 20:08:51 - Scan started. (Smart mode)

     

    Listing running processes

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    #:1 [smss.exe]

    FilePath : \SystemRoot\System32\

    ProcessID : 440

    ThreadCreationTime : 07.10.2007 г. 16:06:17

    BasePriority : Normal

     

     

    #:2 [csrss.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 504

    ThreadCreationTime : 07.10.2007 г. 16:06:18

    BasePriority : Normal

     

     

    #:3 [winlogon.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 528

    ThreadCreationTime : 07.10.2007 г. 16:06:19

    BasePriority : High

     

     

    #:4 [services.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 572

    ThreadCreationTime : 07.10.2007 г. 16:06:20

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Services and Controller app

    InternalName : services.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : services.exe

     

    #:5 [lsass.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 584

    ThreadCreationTime : 07.10.2007 г. 16:06:20

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : LSA Shell (Export Version)

    InternalName : lsass.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : lsass.exe

     

    #:6 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 732

    ThreadCreationTime : 07.10.2007 г. 16:06:20

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:7 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 788

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:8 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 832

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:9 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 884

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:10 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 936

    ThreadCreationTime : 07.10.2007 г. 16:06:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:11 [spoolsv.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1260

    ThreadCreationTime : 07.10.2007 г. 16:06:23

    BasePriority : Normal

    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

    ProductVersion : 5.1.2600.2696

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Spooler SubSystem App

    InternalName : spoolsv.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : spoolsv.exe

     

    #:12 [explorer.exe]

    FilePath : C:\WINDOWS\

    ProcessID : 1284

    ThreadCreationTime : 07.10.2007 г. 16:06:23

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Windows Explorer

    InternalName : explorer

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : EXPLORER.EXE

     

    #:13 [guard.exe]

    FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\

    ProcessID : 1436

    ThreadCreationTime : 07.10.2007 г. 16:06:24

    BasePriority : Normal

    FileVersion : 7, 5, 1, 22

    ProductVersion : 7, 5, 1, 22

    ProductName : AVG Anti-Spyware

    CompanyName : GRISOFT s.r.o.

    FileDescription : AVG Anti-Spyware guard

    InternalName : AVG Anti-Spyware guard

    LegalCopyright : Copyright © 2007 GRISOFT s.r.o.

    OriginalFilename : guard.exe

     

    #:14 [nod32krn.exe]

    FilePath : C:\Program Files\Eset\

    ProcessID : 1500

    ThreadCreationTime : 07.10.2007 г. 16:06:25

    BasePriority : Normal

    FileVersion : 2, 70, 32

    ProductVersion : 2, 70, 32

    ProductName : NOD32 Antivirus System

    CompanyName : Eset

    FileDescription : NOD32 Kernel Service

    InternalName : NOD32 Kernel

    LegalCopyright : Copyright © 1992-2005 Eset

    LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset

    OriginalFilename : nod32krn.exe

     

    #:15 [nvsvc32.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1536

    ThreadCreationTime : 07.10.2007 г. 16:06:25

    BasePriority : Normal

    FileVersion : 6.14.10.9148

    ProductVersion : 6.14.10.9148

    ProductName : NVIDIA Driver Helper Service, Version 91.48

    CompanyName : NVIDIA Corporation

    FileDescription : NVIDIA Driver Helper Service, Version 91.48

    InternalName : NVSVC

    LegalCopyright : © NVIDIA Corporation. All rights reserved.

    OriginalFilename : nvsvc32.exe

     

    #:16 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1584

    ThreadCreationTime : 07.10.2007 г. 16:06:26

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:17 [nod32kui.exe]

    FilePath : C:\Program Files\Eset\

    ProcessID : 1684

    ThreadCreationTime : 07.10.2007 г. 16:06:27

    BasePriority : Normal

    FileVersion : 2, 70, 32

    ProductVersion : 2, 70, 32

    ProductName : NOD32 Antivirus System

    CompanyName : Eset

    FileDescription : NOD32 Control Center GUI

    InternalName : NOD32 Control Center GUI

    LegalCopyright : Copyright © 1992-2005 Eset

    LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset

    OriginalFilename : nod32kui.exe

     

    #:18 [ad-watch.exe]

    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\

    ProcessID : 1712

    ThreadCreationTime : 07.10.2007 г. 16:06:28

    BasePriority : High

    FileVersion : 3.1.2.17

    ProductVersion : 3.2

    ProductName : Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Watch System Protector

    InternalName : Ad-Watch.exe

    LegalCopyright : 1999-2004 Team Lavasoft

    OriginalFilename : Ad-Watch.exe

     

    #:19 [ftype2k.exe]

    FilePath : C:\Program Files\Datecs\FlexType 2K\

    ProcessID : 1812

    ThreadCreationTime : 07.10.2007 г. 16:06:30

    BasePriority : Normal

     

     

    #:20 [alg.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 688

    ThreadCreationTime : 07.10.2007 г. 16:06:42

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Application Layer Gateway Service

    InternalName : ALG.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : ALG.exe

     

    #:21 [opera.exe]

    FilePath : C:\Program Files\Opera\

    ProcessID : 1688

    ThreadCreationTime : 07.10.2007 г. 16:07:15

    BasePriority : Normal

    FileVersion : 8643

    ProductVersion : 9.10

    ProductName : Opera Internet Browser

    CompanyName : Opera Software

    FileDescription : Opera Internet Browser

    InternalName : Opera

    LegalCopyright : Copyright © Opera Software 1995-2006

    OriginalFilename : Opera.exe

     

    #:22 [diction.exe]

    FilePath : C:\Program Files\SADictionary\

    ProcessID : 3712

    ThreadCreationTime : 07.10.2007 г. 16:13:54

    BasePriority : Normal

    FileVersion : 6.2.0.0

    ProductVersion : 6.2.0.0

    ProductName : SA Dictionary 2005 T2

    CompanyName : Stefan Angelov

    FileDescription : SA Dictionary Application File

    LegalCopyright : 2005

    OriginalFilename : Diction.exe

     

    #:23 [notepad.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 2144

    ThreadCreationTime : 07.10.2007 г. 17:07:02

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Notepad

    InternalName : Notepad

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : NOTEPAD.EXE

     

    #:24 [ad-aware.exe]

    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\

    ProcessID : 2188

    ThreadCreationTime : 07.10.2007 г. 17:08:41

    BasePriority : Normal

    FileVersion : 6.2.0.238

    ProductVersion : SE 106

    ProductName : Lavasoft Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Aware SE Core application

    InternalName : Ad-Aware.exe

    LegalCopyright : Copyright © Lavasoft AB Sweden

    OriginalFilename : Ad-Aware.exe

    Comments : All Rights Reserved

     

    Memory scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 0

     

     

    Started registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Registry Scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 0

     

     

    Started deep registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Deep registry scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 0

     

    Win32.Trojandownloader.Zlob Object Recognized!

    Type : RegValue

    Data :

    TAC Rating : 10

    Category : Malware

    Comment :

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\internet explorer\toolbar\Webbrowser

    Value : {f06e2abe-3a50-4079-be25-fc100d9eaa25}

     

     

    Started Tracking Cookie scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

     

    Tracking cookie scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

     

     

    Deep scanning and examining files...

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Disk Scan Result for C:\WINDOWS

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

    Disk Scan Result for C:\WINDOWS\system32

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

    Disk Scan Result for C:\DOCUME~1\RUSSE\LOCALS~1\Temp\

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 1

     

     

    Scanning Hosts file......

    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Hosts file scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    1 entries scanned.

    New critical objects:0

    Objects found so far: 1

     

     

     

    MRU List Object Recognized!

    Location: : C:\Documents and Settings\RUSSE\recent

    Description : list of recently opened documents

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-583907252-1757981266-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs

    Description : list of recent documents opened

     

     

     

    Performing conditional scans...

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Conditional scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

    20:09:40 Scan Complete

     

    Summary Of This Scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Total scanning time:00:00:49.391

    Objects scanned:102641

    Objects identified:1

    Objects ignored:0

    New critical objects:1

    0
  • Customer

    Hi

     

    Let's use exe version of Smitfraudfix.

     

     

    Please download SmitfraudFix (by S!Ri)

     

    Double-click SmitfraudFix.exe

    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

    Please copy/paste the content of that report into your next reply.

     

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

     

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    http://www.beyondlogic.org/consulting/proc...processutil.htm

     

    NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!

    0
  • Customer

    Hi,

     

    There is something dark around this program and process.exe. I did all your instructions, but nothing don`t work.For information I turned off NOD32 and Ad-Adware SE.

    May be is time to finish with our attempt and stop to lose your time.

    I am sorry.

    Thank You!!!

    Nato

    0
  • Customer

    One possible method left.

     

    Right-click HERE and choose "Save As" (or "Save Link As" or "Save Target As") option and save the file. Save the file with its default filename that is, smitfraud.reg, at any convenient location.

     

    Double-click on the Smitfraud.REG file. And, allow it to merge it to Registry by choosing "Yes" option.

     

     

    Reboot system and let me know if that helped.

    0
  • Customer

    Hi,

    NOD32 is version 2.7/latest/ and my network company update it twice per day include database.

     

    Nato

    0
  • Customer

    Have you updated Nod lately? Friend told me that Nod shouldn't delete process.exe file anymore if version is new enough.

    0
  • Customer

    Hi,

     

    Smitfraud.reg was successfully added to the Registry.Nothing difference.

     

    What is happened last day. Smitfraud.exe can not be download from this location /your Post #25/. I see icon on Desktop and when download process is 100% the icon mysteriously vanish ! After this I try whit old download Smitfraud.exe /01.10.2007 or first your Post//. Then miss process.exe in the folder /do you remember?/.I try to add miss file process.exe in folger Smitfraud.exe / unziped /.From your location /Post#25/ I download Process.zip. But after unzip the folder was empty!??? My attempts in root /C:/ to move and run the program - don`t work.

    NOD32 and Ad-Adware were tutn off at all time.

     

    Tell me do you understand my bad English or I only write like redskin.

     

    Nato

    0
  • Customer

    Hi

     

    I do understand what you're saying. The thing I don't understand is what deletes process.exe file. I still suspect that Nod does it. Only problem is that I don't know the product well. Anyway, there should be some IMON function that can be disabled. Could you try to do disabling and try downloading that Smitfraudfix.exe file again? There gotta be some solution.

    0

Please sign in to leave a comment.