View Full Version : idd****.tmp.exe
It runs itself and asks to connect to some server. I close it or kill a process in task manager. It runs again. What should I do ?
Logfile of HijackThis v1.99.1
Scan saved at 16:02:26, on 11.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\program files\Alias\Maya6.0\docs\Wrapper.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\program files\Alias\Maya7.0\docs\wrapper.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\Program Files\Eset\nod32krn.exe
D:\program files\Alias\Maya6.0\docs\jre\bin\java.exe
D:\program files\Alias\Maya7.0\docs\jre\bin\java.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\DRIVERS\WtSrv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
D:\WINDOWS\system32\WService.EXE
D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Eset\nod32kui.exe
D:\program files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\vsnpstd.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\program files\Winamp\winamp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\program files\MYIE2\MyIE.exe
D:\program files\Far\Far.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Eset\nod32.exe
D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe
D:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
D:\WINDOWS\TEMP\win166B.tmp.exe
C:\Program Files\HijackThis\HijackThis.exe
O1 - Hosts: 82.146.33.83 beta.atis-labs.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [Lingvo Launcher] "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [LingvoTraining] "D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe" /ND /NW /AS
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IpWins] D:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = D:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Translate with Lingvo - res://D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - D:\program files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - D:\program files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123081972312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123081936234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winmmt32 - D:\WINDOWS\SYSTEM32\winmmt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\program files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\program files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\program files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\program files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - D:\WINDOWS\system32\DRIVERS\WtSrv.exe
little eagle
2007-01-14, 21:27
Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IpWins] D:\Program Files\ipwins\ipwins.exe
O15 - Trusted Zone: *.stumbleupon.com
Reboot in safe mode, instructions here. (http://forums.security-central.us/showthread.php?t=1903)
Some of these files my have hidden atributes.
Click Here (http://forums.security-central.us/showthread.php?t=30)Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.
Delete the following file(s) listed in bold.
D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll
Delete the following folder(s) listed in bold.
D:\Program Files\ipwins
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)
Rescan with HJT and post a new log here.
Also please describe how your computer behaves at the moment.
Well, I've done everything according to your instructions but one thing.
I didn't found "D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll" there was only "uninstall.exe". Should I delete that file anyway ?
Unfortunately the iddB5.tmp.exe process appeared again :(
I also noticed that it had created internet connection called "i-Dialer" . Please take a look at two screenshots attached.
Concerning the behaviour of PC: I can't say that there is something special. Just this icons with red crossing arrows appear in the tray. Sometimes 5 of them or even more :( I am not sure but it looks like PC begins to work a bit slower when
Here's the new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:05:38, on 15.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\program files\Alias\Maya6.0\docs\Wrapper.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\program files\Alias\Maya6.0\docs\jre\bin\java.exe
D:\program files\Alias\Maya7.0\docs\wrapper.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\program files\Alias\Maya7.0\docs\jre\bin\java.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\DRIVERS\WtSrv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\WINDOWS\system32\WService.EXE
D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\program files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\vsnpstd.exe
D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\program files\Mozilla Firefox\firefox.exe
D:\program files\Adobe\Adobe Photoshop CS2\Photoshop.exe
D:\DOCUME~1\Bodya\LOCALS~1\Temp\Adobelm_Cleanup.0001
D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
D:\DOCUME~1\Bodya\LOCALS~1\Temp\Adobelm_Cleanup.0001
D:\program files\Far\Far.exe
D:\program files\MYIE2\MyIE.exe
C:\Program Files\HijackThis\HijackThis.exe
O1 - Hosts: 82.146.33.83 beta.atis-labs.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [Lingvo Launcher] "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [LingvoTraining] "D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe" /ND /NW /AS
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [{7C4E4D9A-07B1-1049-1017-03033005017c}] "D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{7C4E4D9A-07B0-1049-1017-03033005017c}] "D:\Program Files\Common Files\{7C4E4D9A-07B0-1049-1017-03033005017c}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = D:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Translate with Lingvo - res://D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - D:\program files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - D:\program files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123081972312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123081936234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winmmt32 - D:\WINDOWS\SYSTEM32\winmmt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\program files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\program files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COM+ Messages - Unknown owner - D:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\program files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\program files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - D:\WINDOWS\system32\DRIVERS\WtSrv.exe
What should I do next?
I there any hope to fix it without reinstalling Windows ? :(
little eagle
2007-01-15, 13:35
Run this online scan (http://www.pandasoftware.com/products/ActiveScan.htm) and post the results here.
Incident Status Location
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\TEMP\idd9A1.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\TEMP\win410.tmp.exe
Adware:Adware/PurityScan Not disinfected D:\WINDOWS\system32\winmmt32.dll
Virus:trj/ldpinch.im Disinfected Operating system
Adware:adware/savenow Not disinfected d:\program files\Save
Potentially unwanted tool:Application/ToolWget Not disinfected C:\backup\disk d\Downloads\BODYA\wgetwin-1_5_3_1-binary.zip[wget.exe]
Spyware:Spyware/SafeSurf Not disinfected C:\Downloads\old\nsis20.exe[NSISUpdate.exe][?UC\ExtractDLL.dll]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe][ist1.exe]
Adware:Adware/Cashbar Not disinfected C:\tmp\files\Impcfw.dll
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/HotLog Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adtech Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.adtech.de/]
Spyware:Cookie/bravenetA Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.overture.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Toplist Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[server.iad.liveperson.net/hc/17714267]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[server.iad.liveperson.net/hc/76162232]
Virus:W32/Spamta.GF.worm Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Update-KB6907-x86.zip][Update-KB6907-x86.exe]
Virus:Trj/Cimuz.BE Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Telekom.pdf.exe]
Virus:Trj/SpamtaLoad.Y Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Update-KB3140-x86.zip][Update-KB3140-x86.exe]
Virus:Trj/SpamtaLoad.Y Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[docs.log.exe]
Virus:Trj/Clagge.F Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[rechnung_02724.exe]
Virus:Trj/SpamtaLoad.BP Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Update-KB5734-x86.zip][Update-KB5734-x86.exe]
Virus:Trj/SpamtaLoad.BP Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[doc.msg.cmd]
Virus:Trj/Cimuz.BZ Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Rakningen.exe]
Virus:Trj/Spamtaload.CO Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[postcard.zip][postcard.exe]
Virus:W32/Nuwar.B.worm Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[postcard.exe]
Virus:Trj/Gagar.CC Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[postcard.exe]
Virus:Trj/Gagar.CC Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Postcard.exe]
Virus:Trj/Gagar.CC Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[greeting postcard.exe]
Virus:W32/Bagle.GS.worm!CME-328 Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\people.sbd\Olya Movtchan[price.zip][snvvjvm.exe]
Hacktool:Exploit/iFrame Not disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\rassilky.sbd\swrus[~0001219.~]
Spyware:Cookie/HotLog Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@hotlog[1].txt
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@yadro[1].txt
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\8XYN49YF\srvftb[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\8XYN49YF\srvsux[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\FRPRAU1M\srveuv[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\FRPRAU1M\srvjyr[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\ILPBMTNM\srvihl[1].exe
Adware:Adware/Mytoolbar Not disinfected D:\program files\Common Files\{3C4E4D9A-07B0-1049-1017-03033005017c}\UnInstall.exe
Virus:Trj/Kameruks.B Disinfected D:\program files\KOCHKAru\bin\kochka.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd1473.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd159.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd1C85.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd2F52.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd37B1.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd389F.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd3929.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd3C0A.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd413.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd45C.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd51C.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd5AB.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd5C0.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd5D2.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd6B8.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd6E6.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd71B.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd762.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd772.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd7AC.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd806.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd819.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd85B.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\iddB5.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win157.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win45A.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win51A.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\winB3.tmp.exe
Virus:W32/Bagle.GS.worm!CME-328 Disinfected Local Folders\people\Olya Movtchan\price\price.zip[snvvjvm.exe]
little eagle
2007-01-15, 21:24
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)
Also run CleanUp! (http://www.stevengould.org/software/cleanup/)
Download and install AVG Anti-Spyware (ewido). Then scan and post the report here.
Instructions and download link can be found here (http://forums.security-central.us/showthread.php?t=3165).
Then run the online scan and post the log from AVG and panda also.
Here is the Panda report:
Incident Status Location
Adware:adware/savenow Not disinfected d:\program files\Save
Adware:Adware/Cashbar Not disinfected C:\back\files\Impcfw.dll
Potentially unwanted tool:Application/ToolWget Not disinfected C:\backup\disk d\Downloads\BODYA\wgetwin-1_5_3_1-binary.zip[wget.exe]
Spyware:Spyware/SafeSurf Not disinfected C:\Downloads\old\nsis20.exe[NSISUpdate.exe][?UC\ExtractDLL.dll]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe][ist1.exe]
Hacktool:Exploit/iFrame Not disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\rassilky.sbd\swrus[~0001219.~]
Spyware:Cookie/Azjmp Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@azjmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@tribalfusion[1].txt
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@yadro[2].txt
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win4E4.tmp.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:28:43 16.01.2007
+ Scan result:
C:\back\files\Impcfw.dll -> Adware.CashFiesta : No action taken.
C:\backup\disk d\Downloads\__last\game\LinesMillenium.exe/CD_Load.exe -> Adware.Cydoor : No action taken.
[1584] D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
C:\software\Flashget_1.60_final_by_tsrh.zip/crack.exe/ist1.exe -> Downloader.IstBar.is : No action taken.
C:\backup\disk d\Downloads\__last\cracks\LightAlloy_v2.4.zip/lav24cm.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\backup\disk d\soft\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\software\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
::Report end
little eagle
2007-01-16, 15:19
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:28:43 16.01.2007
+ Scan result:
C:\back\files\Impcfw.dll -> Adware.CashFiesta : No action taken.
C:\backup\disk d\Downloads\__last\game\LinesMillenium.exe/CD_Load.exe -> Adware.Cydoor : No action taken.
[1584] D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
C:\software\Flashget_1.60_final_by_tsrh.zip/crack.exe/ist1.exe -> Downloader.IstBar.is : No action taken.
C:\backup\disk d\Downloads\__last\cracks\LightAlloy_v2.4.zip/lav24cm.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\backup\disk d\soft\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\software\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
::Report end
Can you run it again and delete them:bigthumb:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:11:49 16.01.2007
+ Scan result:
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292148.dll -> Adware.Maxifiles : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292149.exe -> Adware.Maxifiles : No action taken.
D:\program files\Save -> Adware.SaveNow : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B0-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B0-1049-1017-03033005017c}\system.dll -> Adware.Softomate : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\system.dll -> Adware.Softomate : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292188.exe -> Downloader.Agent.bca : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292195.exe -> Downloader.Small : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292584.dll -> Trojan.Agent.vg : No action taken.
D:\WINDOWS\system32\__delete_on_reboot__w_i_n_m_m_t_3_2_._d_l_l_ -> Trojan.Agent.vg : No action taken.
::Report end
little eagle
2007-01-17, 01:15
Reboot in safemode and delete
D:\WINDOWS\system32\__delete_on_reboot__w_i_n_m_m_t_3_2_._d_l_l_
Run avg anti-spyware in safe mode deleting everything it finds.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thank you little eagle. :)