idd****.tmp.exe

B

bodya

New member
It runs itself and asks to connect to some server. I close it or kill a process in task manager. It runs again. What should I do ?


Logfile of HijackThis v1.99.1
Scan saved at 16:02:26, on 11.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\program files\Alias\Maya6.0\docs\Wrapper.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\program files\Alias\Maya7.0\docs\wrapper.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\Program Files\Eset\nod32krn.exe
D:\program files\Alias\Maya6.0\docs\jre\bin\java.exe
D:\program files\Alias\Maya7.0\docs\jre\bin\java.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\DRIVERS\WtSrv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
D:\WINDOWS\system32\WService.EXE
D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Eset\nod32kui.exe
D:\program files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\vsnpstd.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\program files\Winamp\winamp.exe
D:\WINDOWS\system32\wuauclt.exe
D:\program files\MYIE2\MyIE.exe
D:\program files\Far\Far.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Eset\nod32.exe
D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe
D:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
D:\WINDOWS\TEMP\win166B.tmp.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: 82.146.33.83 beta.atis-labs.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [Lingvo Launcher] "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [LingvoTraining] "D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe" /ND /NW /AS
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IpWins] D:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = D:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Translate with Lingvo - res://D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - D:\program files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - D:\program files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123081972312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123081936234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winmmt32 - D:\WINDOWS\SYSTEM32\winmmt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\program files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\program files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\program files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\program files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - D:\WINDOWS\system32\DRIVERS\WtSrv.exe
 
Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IpWins] D:\Program Files\ipwins\ipwins.exe
O15 - Trusted Zone: *.stumbleupon.com

Reboot in safe mode, instructions here.
Some of these files my have hidden atributes.
Click Here Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.

Delete the following file(s) listed in bold.

D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll

Delete the following folder(s) listed in bold.

D:\Program Files\ipwins

Download and run - ATF Cleaner instructions here.

Rescan with HJT and post a new log here.
Also please describe how your computer behaves at the moment.
 
Well, I've done everything according to your instructions but one thing.
I didn't found "D:\PROGRA~1\COMMON~1\{3C4E4~1\Bar888.dll" there was only "uninstall.exe". Should I delete that file anyway ?

Unfortunately the iddB5.tmp.exe process appeared again :(
I also noticed that it had created internet connection called "i-Dialer" . Please take a look at two screenshots attached.

Concerning the behaviour of PC: I can't say that there is something special. Just this icons with red crossing arrows appear in the tray. Sometimes 5 of them or even more :( I am not sure but it looks like PC begins to work a bit slower when


Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:05:38, on 15.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\program files\Alias\Maya6.0\docs\Wrapper.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\program files\Alias\Maya6.0\docs\jre\bin\java.exe
D:\program files\Alias\Maya7.0\docs\wrapper.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\program files\Alias\Maya7.0\docs\jre\bin\java.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\DRIVERS\WtSrv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\WINDOWS\system32\WService.EXE
D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\program files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\vsnpstd.exe
D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\program files\Mozilla Firefox\firefox.exe
D:\program files\Adobe\Adobe Photoshop CS2\Photoshop.exe
D:\DOCUME~1\Bodya\LOCALS~1\Temp\Adobelm_Cleanup.0001
D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
D:\DOCUME~1\Bodya\LOCALS~1\Temp\Adobelm_Cleanup.0001
D:\program files\Far\Far.exe
D:\program files\MYIE2\MyIE.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: 82.146.33.83 beta.atis-labs.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - D:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [Lingvo Launcher] "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [LingvoTraining] "D:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe" /ND /NW /AS
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [{7C4E4D9A-07B1-1049-1017-03033005017c}] "D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{7C4E4D9A-07B0-1049-1017-03033005017c}] "D:\Program Files\Common Files\{7C4E4D9A-07B0-1049-1017-03033005017c}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = D:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Translate with Lingvo - res://D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - D:\program files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - D:\program files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123081972312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123081936234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winmmt32 - D:\WINDOWS\SYSTEM32\winmmt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\program files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\program files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COM+ Messages - Unknown owner - D:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\program files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\program files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - D:\WINDOWS\system32\DRIVERS\WtSrv.exe




What should I do next?
I there any hope to fix it without reinstalling Windows ? :(
 
Incident Status Location

Dialer:Dialer.ISM Not disinfected D:\WINDOWS\TEMP\idd9A1.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\TEMP\win410.tmp.exe
Adware:Adware/PurityScan Not disinfected D:\WINDOWS\system32\winmmt32.dll
Virus:trj/ldpinch.im Disinfected Operating system
Adware:adware/savenow Not disinfected d:\program files\Save
Potentially unwanted tool:Application/ToolWget Not disinfected C:\backup\disk d\Downloads\BODYA\wgetwin-1_5_3_1-binary.zip[wget.exe]
Spyware:Spyware/SafeSurf Not disinfected C:\Downloads\old\nsis20.exe[NSISUpdate.exe][?UC\ExtractDLL.dll]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe][ist1.exe]
Adware:Adware/Cashbar Not disinfected C:\tmp\files\Impcfw.dll
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/HotLog Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adtech Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.adtech.de/]
Spyware:Cookie/bravenetA Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.overture.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Toplist Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[server.iad.liveperson.net/hc/17714267]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Bodya\Application Data\Mozilla\Firefox\Profiles\cslc6wty.default\cookies.txt[server.iad.liveperson.net/hc/76162232]
 
Virus:W32/Spamta.GF.worm Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Update-KB6907-x86.zip][Update-KB6907-x86.exe]
Virus:Trj/Cimuz.BE Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Telekom.pdf.exe]
Virus:Trj/SpamtaLoad.Y Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Update-KB3140-x86.zip][Update-KB3140-x86.exe]
Virus:Trj/SpamtaLoad.Y Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[docs.log.exe]
Virus:Trj/Clagge.F Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[rechnung_02724.exe]
Virus:Trj/SpamtaLoad.BP Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Update-KB5734-x86.zip][Update-KB5734-x86.exe]
Virus:Trj/SpamtaLoad.BP Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[doc.msg.cmd]
Virus:Trj/Cimuz.BZ Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Rakningen.exe]
Virus:Trj/Spamtaload.CO Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[postcard.zip][postcard.exe]
Virus:W32/Nuwar.B.worm Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[postcard.exe]
Virus:Trj/Gagar.CC Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[postcard.exe]
Virus:Trj/Gagar.CC Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[Postcard.exe]
Virus:Trj/Gagar.CC Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\Inbox[greeting postcard.exe]
Virus:W32/Bagle.GS.worm!CME-328 Disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\people.sbd\Olya Movtchan[price.zip][snvvjvm.exe]
Hacktool:Exploit/iFrame Not disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\rassilky.sbd\swrus[~0001219.~]
Spyware:Cookie/HotLog Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@hotlog[1].txt
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@yadro[1].txt
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\8XYN49YF\srvftb[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\8XYN49YF\srvsux[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\FRPRAU1M\srveuv[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\FRPRAU1M\srvjyr[1].exe
Dialer:Dialer.ISL Not disinfected D:\Documents and Settings\Bodya\Local Settings\Temporary Internet Files\Content.IE5\ILPBMTNM\srvihl[1].exe
Adware:Adware/Mytoolbar Not disinfected D:\program files\Common Files\{3C4E4D9A-07B0-1049-1017-03033005017c}\UnInstall.exe
Virus:Trj/Kameruks.B Disinfected D:\program files\KOCHKAru\bin\kochka.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd1473.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd159.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd1C85.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd2F52.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd37B1.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd389F.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd3929.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd3C0A.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd413.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd45C.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd51C.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd5AB.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd5C0.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd5D2.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd6B8.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd6E6.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd71B.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd762.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd772.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd7AC.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd806.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd819.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\idd85B.tmp.exe
Dialer:Dialer.ISM Not disinfected D:\WINDOWS\Temp\iddB5.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win157.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win45A.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win51A.tmp.exe
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\winB3.tmp.exe
Virus:W32/Bagle.GS.worm!CME-328 Disinfected Local Folders\people\Olya Movtchan\price\price.zip[snvvjvm.exe]
 
Download and run - ATF Cleaner instructions here.

Also run CleanUp!


Download and install AVG Anti-Spyware (ewido). Then scan and post the report here.
Instructions and download link can be found here.

Then run the online scan and post the log from AVG and panda also.
 
Here is the Panda report:


Incident Status Location

Adware:adware/savenow Not disinfected d:\program files\Save
Adware:Adware/Cashbar Not disinfected C:\back\files\Impcfw.dll
Potentially unwanted tool:Application/ToolWget Not disinfected C:\backup\disk d\Downloads\BODYA\wgetwin-1_5_3_1-binary.zip[wget.exe]
Spyware:Spyware/SafeSurf Not disinfected C:\Downloads\old\nsis20.exe[NSISUpdate.exe][?UC\ExtractDLL.dll]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\software\Flashget_1.60_final_by_tsrh.zip[crack.exe][ist1.exe]
Hacktool:Exploit/iFrame Not disinfected D:\Documents and Settings\Bodya\Application Data\Thunderbird\Profiles\40eoj7ya.default\Mail\Local Folders\rassilky.sbd\swrus[~0001219.~]
Spyware:Cookie/Azjmp Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@azjmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@tribalfusion[1].txt
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Bodya\Cookies\bodya@yadro[2].txt
Dialer:Dialer.ISL Not disinfected D:\WINDOWS\Temp\win4E4.tmp.exe
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:28:43 16.01.2007

+ Scan result:



C:\back\files\Impcfw.dll -> Adware.CashFiesta : No action taken.
C:\backup\disk d\Downloads\__last\game\LinesMillenium.exe/CD_Load.exe -> Adware.Cydoor : No action taken.
[1584] D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
C:\software\Flashget_1.60_final_by_tsrh.zip/crack.exe/ist1.exe -> Downloader.IstBar.is : No action taken.
C:\backup\disk d\Downloads\__last\cracks\LightAlloy_v2.4.zip/lav24cm.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\backup\disk d\soft\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\software\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.


::Report end
 
bodya said:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:28:43 16.01.2007

+ Scan result:



C:\back\files\Impcfw.dll -> Adware.CashFiesta : No action taken.
C:\backup\disk d\Downloads\__last\game\LinesMillenium.exe/CD_Load.exe -> Adware.Cydoor : No action taken.
[1584] D:\Program Files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
C:\software\Flashget_1.60_final_by_tsrh.zip/crack.exe/ist1.exe -> Downloader.IstBar.is : No action taken.
C:\backup\disk d\Downloads\__last\cracks\LightAlloy_v2.4.zip/lav24cm.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\backup\disk d\soft\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\software\16.11 WinRar.rar/wrar30_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.


::Report end
Click to expand...

Can you run it again and delete them:bigthumb:
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:11:49 16.01.2007

+ Scan result:



D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292148.dll -> Adware.Maxifiles : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292149.exe -> Adware.Maxifiles : No action taken.
D:\program files\Save -> Adware.SaveNow : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B0-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B0-1049-1017-03033005017c}\system.dll -> Adware.Softomate : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\Update.exe -> Adware.Softomate : No action taken.
D:\program files\Common Files\{7C4E4D9A-07B1-1049-1017-03033005017c}\system.dll -> Adware.Softomate : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292188.exe -> Downloader.Agent.bca : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292195.exe -> Downloader.Small : No action taken.
D:\System Volume Information\_restore{51888A19-FA1D-44D2-8A36-34FBDDC6CA65}\RP560\A0292584.dll -> Trojan.Agent.vg : No action taken.
D:\WINDOWS\system32\__delete_on_reboot__w_i_n_m_m_t_3_2_._d_l_l_ -> Trojan.Agent.vg : No action taken.


::Report end
 
Reboot in safemode and delete
D:\WINDOWS\system32\__delete_on_reboot__w_i_n_m_m_t_3_2_._d_l_l_

Run avg anti-spyware in safe mode deleting everything it finds.
 
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thank you little eagle. :)
 
You must log in or register to reply here.
Back
Top