win32.Soundmix and possibly more

G

guitar_xe

New member
Hi, a family member of mine has come to live with me from Russia. His computer appears to be infected by the win32.soundmix trojan. When I did a scan with SpyBotSD in safe mode it came up, and spybot was not able to remove it. I then realised that the computer has no Anti-virus software, so I installed Avast! and ran the "pre-boot" scan (I think that is what it was called). I wasn't there for the entire scan, but I saw that it deleted a couple of files that were flagged as win32.agent [trj]. When I came back later to the PC the scan had already finished and windows was running at the desktop, so I don't know what it deleted or not.

Now the soundmix.exe is no longer in the processes, and SpyBotSD no longer finds it during scan, but the registry entry to it is still in /windows/currentversion/run .
At this point I do not know if the trojan was removed or not, so any assistance with this would be greatly appreciated.
Here is my HJT log: (since this is a Russian version of windows, some characters are in Russian. I do not know how to change that)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:23, on 31.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apeha.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O1 - Hosts: 61.129.115.198 www.xldd.com
O1 - Hosts: 61.129.115.198 www.ojiang.com
O1 - Hosts: 61.129.115.198 www.shuixian.net
O1 - Hosts: 61.129.115.198 www.xlarea.com
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [soundmix] C:\WINDOWS\system32\soundmix.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 4526 bytes
 
Hello and Welcome to the forums!

My name is peku006and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform full scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found here:

    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - download and run RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC

Thanks peku006
 
Hi peku006, and thank you for taking your time to help me with this. Following are what you requested

info.txt
info.txt logfile of random's system information tool 1.04 2008-10-31 10:52:20

======Uninstall list======

-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
«Èëüÿ Ìóðîìåö è Ñîëîâåé-ðàçáîéíèê»-->"D:\Èãðû\Èëüÿ Ìóðîìåö è Ñîëîâåé-ðàçáîéíèê\unins000.exe"
102 Äàëìàòèíöà - Âîêðóã ñâåòà-->C:\WINDOWS\IsUninstR.Exe -fd:\462D~1\DeIsL1.isu -cd:\462D~1\102AC_~1.DLL
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Barbie(tm) Ñàëîí êðàñîòû-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4964CF58-9032-4BF0-96F8-B1ECFB238D9B}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Indeo® software-->C:\WINDOWS\IsUninst.exe -f"d:\èãðû\êíÿçü âëàäèìèð\Uninst.isu"
K-Lite Codec Pack 2.80 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Access MUI (Russian) 2007-->MsiExec.exe /X{90120000-0015-0419-0000-0000000FF1CE}
Microsoft Office Excel MUI (Russian) 2007-->MsiExec.exe /X{90120000-0016-0419-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Russian) 2007-->MsiExec.exe /X{90120000-0044-0419-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Russian) 2007-->MsiExec.exe /X{90120000-001A-0419-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Russian) 2007-->MsiExec.exe /X{90120000-0018-0419-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Russian) 2007-->MsiExec.exe /X{90120000-001F-0419-0000-0000000FF1CE}
Microsoft Office Proof (Ukrainian) 2007-->MsiExec.exe /X{90120000-001F-0422-0000-0000000FF1CE}
Microsoft Office Proofing (Russian) 2007-->MsiExec.exe /X{90120000-002C-0419-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Russian) 2007-->MsiExec.exe /X{90120000-0019-0419-0000-0000000FF1CE}
Microsoft Office Shared MUI (Russian) 2007-->MsiExec.exe /X{90120000-006E-0419-0000-0000000FF1CE}
Microsoft Office Word MUI (Russian) 2007-->MsiExec.exe /X{90120000-001B-0419-0000-0000000FF1CE}
Microsoft Office Ïðîôåññèîíàëüíûé ïëþñ 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Office Keyboard-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0208A7E3-0D30-11D4-A1FC-00508B9D1BA2}\Setup.exe" -l0x9
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x19 -removeonly
SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 USB Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x19 -removeonly
Samsung PC Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x19 -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Stupid Invaders-->C:\WINDOWS\IsUninst.exe -fd:\èãðû\Uninst.isu
The Sims 2-->C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims-->C:\Games\TheSims\UNWISE.EXE C:\Games\TheSims\INSTALL.LOG
Vodafone 804SS USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
Ãóáêà Áîá - Ñòðàñòè-ìîðäàñòè-->C:\WINDOWS\IsUninstR.Exe -fd:\462D~1\DeIsL1.isu -cd:\462D~1\SBNN_R~1.DLL
Îò÷àÿííûå äîìîõîçÿéêè-->C:\WINDOWS\IsUninstR.Exe -fd:\462D~1\DeIsL1.isu -cd:\462D~1\DHW_RE~1.DLL
Ðîãà è Êîïûòà-->C:\WINDOWS\IsUninstR.Exe -fd:\462D~1\DeIsL1.isu -cd:\462D~1\BARNYA~1.DLL
Ðîçîâàÿ Ïàíòåðà - Ïðàâî íà ðèñê-->C:\WINDOWS\pptpunin.exe ¡

======Hosts File======

61.129.115.198 www.xldd.com
61.129.115.198 www.ojiang.com
61.129.115.198 www.shuixian.net
61.129.115.198 www.xlarea.com

======Security center information======

AV: avast! antivirus 4.8.1229 [VPS 081031-1]

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Samsung\Samsung PC Studio 3\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


log.txt
Logfile of random's system information tool 1.04 (written by random/random)
Run by Àäìèíèñòðàòîð at 2008-10-31 10:52:14
Microsoft Windows XP Professional Service Pack 2
System drive C: has 62 GB (81%) free of 76 GB
Total RAM: 1023 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:19, on 31.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Àäìèíèñòðàòîð\Ðàáî÷èé ñòîë\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Àäìèíèñòðàòîð.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apeha.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O1 - Hosts: 61.129.115.198 www.xldd.com
O1 - Hosts: 61.129.115.198 www.ojiang.com
O1 - Hosts: 61.129.115.198 www.shuixian.net
O1 - Hosts: 61.129.115.198 www.xlarea.com
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [soundmix] C:\WINDOWS\system32\soundmix.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 4979 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-09-12 16264192]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-08-11 7630848]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-08-11 86016]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"MULTIMEDIA KEYBOARD"=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe [2003-09-30 425984]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-06-14 282624]
"soundmix"=C:\WINDOWS\system32\soundmix.exe []
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c82824e-481b-11dc-bc2e-0019214f8e73}]
shell\AutoRun\command - H:\
shell\explore\command - H:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - H:\RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3a73d8-1926-11dc-9911-0019214f8e73}]
shell\AutoRun\command - F:\
shell\explore\command - F:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - F:\RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bf12e5d-4816-11dc-bc2d-0019214f8e73}]
shell\AutoRun\command - H:\
shell\explore\command - RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ca1d1f2-d8b0-11dc-bc78-0019214f8e73}]
shell\AutoRun\command - H:\
shell\explore\command - H:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - H:\RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f84b0d8-2954-11dd-bcbf-0019214f8e73}]
shell\AutoRun\command - H:\
shell\explore\command - H:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - H:\RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99a90d8a-434a-11dc-9942-0019214f8e73}]
shell\AutoRun\command - F:\
shell\explore\command - F:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - F:\RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c15375c-57a2-11dd-bce3-0019214f8e73}]
shell\AutoRun\command - H:\
shell\explore\command - H:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - H:\RECYCLER\autorun.exe -OpenCurDir

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d11b2b64-ec4f-11dc-bc8b-0019214f8e73}]
shell\AutoRun\command - H:\
shell\explore\command - H:\RECYCLER\autorun.exe -ExploreCurDir
shell\open\command - H:\RECYCLER\autorun.exe -OpenCurDir


======List of files/folders created in the last 1 months======

2008-10-31 10:52:14 ----D---- C:\rsit
2008-10-31 10:23:02 ----D---- C:\Documents and Settings\Àäìèíèñòðàòîð\Application Data\Malwarebytes
2008-10-31 10:22:56 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-31 10:22:55 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 04:34:03 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-10-31 04:34:01 ----D---- C:\Program Files\Alwil Software
2008-10-31 02:34:52 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-31 02:34:52 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-30 06:55:20 ----D---- C:\$AVG8.VAULT$
2008-10-30 05:07:10 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-30 05:05:06 ----D---- C:\Program Files\AVG(2)
2008-10-30 05:05:05 ----D---- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-10-30 04:28:35 ----D---- C:\Program Files\The Cleaner Demo
2008-10-30 04:24:38 ----D---- C:\Program Files\Trend Micro
2008-10-08 18:57:12 ----D---- C:\Program Files\EA GAMES
2008-10-08 08:58:48 ----D---- C:\Games

======List of files/folders modified in the last 1 months======

2008-10-31 10:51:00 ----D---- C:\WINDOWS\Temp
2008-10-31 10:50:12 ----A---- C:\WINDOWS\Msiosd.ini
2008-10-31 10:49:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-31 10:23:02 ----D---- C:\WINDOWS\Prefetch
2008-10-31 10:22:59 ----D---- C:\WINDOWS\system32\drivers
2008-10-31 10:22:55 ----RD---- C:\Program Files
2008-10-31 09:21:23 ----D---- C:\WINDOWS\system32\config
2008-10-31 05:04:31 ----D---- C:\WINDOWS\system32
2008-10-31 05:03:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-31 04:08:39 ----D---- C:\WINDOWS
2008-10-31 02:48:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-31 02:21:07 ----D---- C:\WINDOWS\system32\wbem
2008-10-31 02:21:03 ----D---- C:\WINDOWS\Registration
2008-10-31 02:19:49 ----SHD---- C:\WINDOWS\Installer
2008-10-30 05:05:00 ----D---- C:\WINDOWS\WinSxS
2008-10-30 05:05:00 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-30 04:24:34 ----SD---- C:\Documents and Settings\Àäìèíèñòðàòîð\Application Data\Microsoft
2008-10-10 20:46:13 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2008-10-09 21:08:25 ----HD---- C:\WINDOWS\inf
2008-10-09 21:07:27 ----D---- C:\Program Files\Common Files\Adobe
2008-10-09 21:07:27 ----D---- C:\Program Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 intelppm;Äðàéâåð Intel ïðîöåññîðà; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-17 40448]
R1 kbdhid;Äðàéâåð êëàâèàòóðû HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
R1 msikbd2k;Multimedia Keyboard Filter Driver; C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Äðàéâåð êëàññà HID Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-18 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-09-12 4381184]
R3 mouhid;Äðàéâåð ìûøè HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-19 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-08-11 3958496]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-02-27 81408]
R3 usbccgp;Äðàéâåð óíèâåðñàëüíîãî ðîäèòåëüñêîãî óñòðîéñòâà USB (Microsoft); C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Äðàéâåð ìèíèïîðòà Microsoft USB 2.0 ðàñøèðåííîãî õîñò-êîíòðîëëåðà; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 êîíöåíòðàòîð; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Äðàéâåð ìèíèïîðòà Microsoft USB óíèâåðñàëüíîãî õîñò-êîíòðîëëåðà; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 gAGP440p;gAGP440p; \??\C:\DOCUME~1\9335~1\LOCALS~1\Temp\gAGP440p.sys []
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ssm_bus.sys [2005-08-30 58320]
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys [2005-08-30 8336]
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys [2005-08-30 94000]
S3 usbscan;Äðàéâåð USB-ñêàíåðà; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;Äðàéâåð çàïîìèíàþùèõ óñòðîéñòâ äëÿ USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 nhksrv;Netropa NHK Server; C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 28672]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-08-11 155715]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

Malwarebytes' Anti-Malware Log
Malwarebytes' Anti-Malware 1.30
Database version: 1349
Windows 5.1.2600 Service Pack 2

31.10.2008 10:48:58
mbam-log-2008-10-31 (10-48-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 81364
Time elapsed: 19 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

description of any problems you are having with your PC
Click to expand...

There are no problems that I can describe, such as slow computer or popups, but please allow me to elaborate the problem that I have.
During a scan with SpybotSD, a trojan marked as win32.soundmix came up, and SpybotSD was unable to remove it.
At this point, I downloaded and installed Avast! Anti-virus and ran a pre-boot scan, which had removed several other trojans that it detected. After this scan, SpybotSD no longer detects the win32.soundmix trojan, however because the registry key to the file soundmix.exe in C:\Windows\System32 remains, I am uncertain if the trojan was completely removed.
 
Also, if this will be of use, I have found another key in the registry in the path
HKEY_USERS\Default\Software\Microsoft\Windows\ShellNoRoam\MUICache
Click to expand...
that leads to the soundmix.exe file in the C:\Windows\System32 directory.
 
Hi guitar_xe

1 - Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

2 - Download and Run HostsXpert

  • Please download HostXpert.
    • Unzip HostsXpert.zip
    • Double click on HostsXpert.exe
    • Then click on "Restore ms Hosts file" to restore your Hosts file to its default condidtion..
    • Click on Make Read Only to secure it against further infection.
    • Close program when complete.

3 - Download and Run OTMoveIt3
Download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double-click on OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"soundmix"=-

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"soundmix"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c82824e-481b-11dc-bc2e-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3a73d8-1926-11dc-9911-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bf12e5d-4816-11dc-bc2d-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ca1d1f2-d8b0-11dc-bc78-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f84b0d8-2954-11dd-bcbf-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99a90d8a-434a-11dc-9942-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c15375c-57a2-11dd-bce3-0019214f8e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d11b2b64-ec4f-11dc-bc8b-0019214f8e73}]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • If you are not asked to reboot close OTMoveIt3.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

4 - Download and run OTViewIt
  1. Please download OTViewIt by OldTimer and save it to your Desktop.
  2. Close all applications and windows.
  3. Double-click on the OTViewIt.exeto start OTViewIt.
  4. Place a checkmark in the blue-colored "Scan All Users" checkbox.
  5. Click the blue Run Scan button.
  6. OTViewIt will now start its scan.
  7. When the scan is complete, two text files will be created, OTViewIt.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.
  8. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt to your post.

5 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

6 - Status Check
Please reply with

1. the OTMoveIt3 log
2. the logs fromOTViewIt (OTViewIt.txt and Extras.txt)
3. a fresh HijackThis log

Thanks peku006
 
OTMoveIt3 log
========== FILES ==========
File/Folder [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] not found.
File/Folder soundmix"= not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\soundmix not found.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c82824e-481b-11dc-bc2e-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3a73d8-1926-11dc-9911-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bf12e5d-4816-11dc-bc2d-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ca1d1f2-d8b0-11dc-bc78-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f84b0d8-2954-11dd-bcbf-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99a90d8a-434a-11dc-9942-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c15375c-57a2-11dd-bce3-0019214f8e73}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d11b2b64-ec4f-11dc-bc8b-0019214f8e73}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11012008_074010


logs fromOTViewIt
OTViewIt.txt
OTViewIt logfile created on: 01.11.2008 7:41:32 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Администратор\Рабочий стол
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000419 | Country: Россия | Language: RUS | Date Format: dd.MM.yyyy

1023,48 Mb Total Physical Memory | 681,52 Mb Available Physical Memory | 66,59% Memory free
2,40 Gb Paging File | 2,16 Gb Available in Paging File | 89,64% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 60,50 Gb Free Space | 81,19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TYCOON-A36CE861
Current User Name: Администратор
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004.08.17 18:05:06 | 00,050,688 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\smss.exe
[2004.08.17 18:05:10 | 00,503,808 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\winlogon.exe
[2004.08.17 18:05:04 | 00,108,544 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\services.exe
[2008.07.19 20:25:06 | 00,016,056 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2008.07.19 20:38:28 | 00,147,640 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
[2004.08.17 18:04:48 | 01,032,704 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\explorer.exe
[2006.09.12 14:58:14 | 16,264,192 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
[2004.11.02 22:24:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2003.09.30 07:09:28 | 00,425,984 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
[2007.06.14 23:07:08 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
[2008.07.19 20:38:34 | 00,078,008 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2001.08.06 07:41:48 | 00,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
[2006.08.11 19:42:50 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2008.07.19 20:38:04 | 00,250,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[2004.09.06 07:48:32 | 00,094,208 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe
[2001.11.14 05:03:12 | 00,090,112 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Onscreen Display\osd.exe
[2008.07.23 20:25:45 | 00,348,344 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[2004.08.17 18:05:12 | 00,111,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008.11.01 07:40:46 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Администратор\Рабочий стол\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008.07.19 20:25:06 | 00,016,056 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2008.07.19 20:38:28 | 00,147,640 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2008.07.19 20:38:04 | 00,250,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
[2008.07.23 20:25:45 | 00,348,344 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
[2004.08.17 18:05:04 | 00,108,544 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\services.exe -- (Eventlog [Auto | Running])
[2005.04.04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2004.08.17 18:04:52 | 00,150,016 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\imapi.exe -- (ImapiService [On_Demand | Stopped])
[2004.08.17 18:04:54 | 00,032,768 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc [On_Demand | Stopped])
[2004.08.17 18:04:58 | 00,113,664 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\netdde.exe -- (NetDDE [Disabled | Stopped])
[2004.08.17 18:04:58 | 00,113,664 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm [Disabled | Stopped])
[2001.08.06 07:41:48 | 00,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- (nhksrv [Auto | Running])
[2006.08.11 19:42:50 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2006.10.26 21:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006.10.26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2004.08.17 18:05:04 | 00,108,544 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\services.exe -- (PlugPlay [Auto | Running])
[2004.08.17 18:05:06 | 00,141,312 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr [On_Demand | Stopped])
[2004.08.17 18:05:04 | 00,096,768 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr [On_Demand | Stopped])
[2004.08.17 18:05:06 | 00,091,648 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog [On_Demand | Stopped])
[2004.08.17 18:05:08 | 00,073,216 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr [Disabled | Stopped])
[2004.08.17 18:05:10 | 00,290,304 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\vssvc.exe -- (VSS [On_Demand | Stopped])
[2004.08.17 18:05:12 | 00,126,464 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv [On_Demand | Stopped])

========== Driver Services ==========

[2004.04.30 09:37:02 | 00,160,640 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\a347bus.sys -- (a347bus [Boot | Running])
[2004.04.30 09:33:00 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\a347scsi.sys -- (a347scsi [Boot | Running])
[2008.07.19 20:32:15 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2004.08.17 17:46:54 | 00,188,288 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\acpi.sys -- (ACPI [Boot | Running])
[2001.10.21 04:00:00 | 00,011,776 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\System32\drivers\acpiec.sys -- (ACPIEC [Disabled | Stopped])
[2008.07.19 20:37:42 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
[2008.07.19 20:37:21 | 00,094,416 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2008.07.19 20:33:42 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2008.07.19 20:35:18 | 00,078,416 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
[2008.07.19 20:32:36 | 00,042,912 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2004.08.03 22:59:44 | 00,095,360 | ---- | M] () -- C:\WINDOWS\system32\drivers\atapi.sys -- (atapi [Boot | Running])
[2001.10.21 04:00:00 | 00,034,944 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\System32\drivers\fips.sys -- (Fips [System | Running])
[2001.10.21 04:00:00 | 00,125,440 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\ftdisk.sys -- (Ftdisk [Boot | Running])
[2005.01.07 19:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2004.08.17 17:51:24 | 00,053,376 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt [System | Stopped])
[2006.09.12 17:27:00 | 04,381,184 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService [On_Demand | Running])
[2001.10.19 22:22:20 | 00,036,096 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\isapnp.sys -- (isapnp [Boot | Running])
[2004.08.17 17:54:38 | 00,024,832 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\kbdclass.sys -- (Kbdclass [System | Running])
[2004.08.17 17:54:38 | 00,014,848 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2004.08.17 18:16:30 | 00,030,208 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\System32\drivers\modem.sys -- (Modem [On_Demand | Stopped])
[2004.08.17 17:47:34 | 00,023,296 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\mouclass.sys -- (Mouclass [System | Running])
[2001.10.19 22:33:10 | 00,012,160 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\mouhid.sys -- (mouhid [On_Demand | Running])
[2001.12.20 10:02:12 | 00,006,656 | ---- | M] (Netropa Corporation) -- C:\WINDOWS\system32\drivers\Msikbd2k.sys -- (msikbd2k [System | Running])
[2006.08.11 19:42:42 | 03,958,496 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2004.08.17 18:16:30 | 00,080,128 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport [On_Demand | Running])
[2001.10.21 04:00:00 | 00,006,912 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\System32\drivers\parvdm.sys -- (ParVdm [Auto | Running])
[2004.08.17 17:46:56 | 00,068,480 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\pci.sys -- (PCI [Boot | Running])
[2001.10.19 22:32:14 | 00,003,328 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\pciide.sys -- (PCIIde [Boot | Running])
[2004.08.17 17:47:02 | 00,119,936 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\System32\drivers\pcmcia.sys -- (Pcmcia [Disabled | Stopped])
[2001.10.21 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2004.08.17 21:49:32 | 00,058,112 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook [System | Running])
[2006.02.27 03:46:20 | 00,081,408 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
[2007.06.25 18:02:59 | 00,163,644 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2004.08.17 17:51:24 | 00,065,408 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\serial.sys -- (Serial [System | Running])
[2005.03.03 23:53:57 | 00,048,640 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running])
[2005.02.23 21:59:54 | 00,006,656 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running])
[2004.10.06 15:47:16 | 00,019,840 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfsync02.sys -- (sfsync02 [Boot | Running])
[2004.08.17 17:58:30 | 00,073,472 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\drivers\sr.sys -- (sr [Boot | Running])
[2005.08.30 01:47:38 | 00,058,320 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ssm_bus.sys -- (ssm_bus [On_Demand | Stopped])
[2005.08.30 01:49:34 | 00,008,336 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ssm_mdfl.sys -- (ssm_mdfl [On_Demand | Stopped])
[2005.08.30 01:49:38 | 00,094,000 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ssm_mdm.sys -- (ssm_mdm [On_Demand | Stopped])
[2004.08.17 17:53:24 | 00,051,968 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\System32\drivers\volsnap.sys -- (VolSnap [Boot | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.apeha.ru

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Корпорация Майкрософт)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.apeha.ru

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Корпорация Майкрософт)

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (698 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINDOWS\system32\browseui.dll (Корпорация Майкрософт)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINDOWS\system32\browseui.dll (Корпорация Майкрософт)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINDOWS\system32\shell32.dll (Корпорация Майкрософт)

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINDOWS\system32\browseui.dll (Корпорация Майкрософт)

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINDOWS\system32\browseui.dll (Корпорация Майкрософт)

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINDOWS\system32\shell32.dll (Корпорация Майкрософт)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=ALCMTR.EXE (Realtek Semiconductor Corp.)
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
"MULTIMEDIA KEYBOARD"=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (Netropa Corp.)
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /install ()
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SkyTel"=SkyTel.EXE (Realtek Semiconductor Corp.)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&Экспорт в Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2006.10.27 17:07:36 | 17,891,112 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\Software\Microsoft\Internet Explorer\MenuExt\]
&Экспорт в Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2006.10.27 17:07:36 | 17,891,112 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006.10.26 22:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004.08.17 18:17:40 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004.08.17 18:17:40 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006.10.26 22:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004.08.17 18:17:40 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1547161642-583907252-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006.10.26 22:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004.08.17 18:17:40 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O17) DNS Name Servers ==========

{D86BBC12-4D04-4580-8D02-CC63B4DE5EEC} (Servers: | Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC)

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=Explorer.exe
>[2004.08.17 18:04:48 | 01,032,704 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\explorer.exe

"UserInit"=C:\WINDOWS\system32\userinit.exe,
>[2004.08.17 18:05:10 | 00,025,088 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\userinit.exe

"UIHost"=logonui.exe
>[2004.08.17 18:04:52 | 00,515,072 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\logonui.exe

"VMApplet"=rundll32 shell32,Control_RunDLL "sysdm.cpl"
>[2004.08.17 18:04:30 | 08,401,408 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\shell32.dll
>[2004.08.17 18:05:12 | 00,300,032 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\sysdm.cpl


========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
crypt32chain: "DllName" = crypt32.dll -- C:\WINDOWS\system32\crypt32.dll (Корпорация Майкрософт)
cscdll: "DllName" = cscdll.dll -- C:\WINDOWS\system32\cscdll.dll (Корпорация Майкрософт)
ScCertProp: "DllName" = wlnotify.dll -- C:\WINDOWS\system32\wlnotify.dll (Корпорация Майкрософт)
Schedule: "DllName" = wlnotify.dll -- C:\WINDOWS\system32\wlnotify.dll (Корпорация Майкрософт)
sclgntfy: "DllName" = sclgntfy.dll -- C:\WINDOWS\system32\sclgntfy.dll (Корпорация Майкрософт)
SensLogn: "DllName" = WlNotify.dll -- C:\WINDOWS\system32\wlnotify.dll (Корпорация Майкрософт)
termsrv: "DllName" = wlnotify.dll -- C:\WINDOWS\system32\wlnotify.dll (Корпорация Майкрософт)
wlballoon: "DllName" = wlnotify.dll -- C:\WINDOWS\system32\wlnotify.dll (Корпорация Майкрософт)

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDBurn"={fbeb8a05-beee-4442-804e-409d6c4515e9} (HKLM) -- C:\WINDOWS\system32\shell32.dll (Корпорация Майкрософт)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"={7849596a-48ea-486e-8937-a2a3009f31a9} (HKLM) -- C:\WINDOWS\system32\shell32.dll (Корпорация Майкрософт)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysTray"={35CEC8A3-2BE6-11D2-8773-92E220524153} (HKLM) -- C:\WINDOWS\system32\stobject.dll (Корпорация Майкрософт)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"={E6FB5E20-DE35-11CF-9C87-00AA005127ED} (HKLM) -- C:\WINDOWS\system32\webcheck.dll (Корпорация Майкрософт)

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" (HKLM) = Предзагрузчик Browseui -- C:\WINDOWS\system32\browseui.dll (Корпорация Майкрософт)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" (HKLM) = Демон кэша категорий компонентов -- C:\WINDOWS\system32\browseui.dll (Корпорация Майкрософт)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" (HKLM) -- C:\WINDOWS\system32\shell32.dll (Корпорация Майкрософт)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
>[2004.08.17 18:04:14 | 00,068,608 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\digest.dll
>[2004.08.17 18:04:24 | 00,290,816 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\msnsspc.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007.06.06 18:47:59 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2008.11.01 07:40:45 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Администратор\Рабочий стол\OTViewIt.exe
[2008.11.01 07:40:10 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2008.10.31 11:16:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Администратор\Рабочий стол\temp
[2008.10.31 10:52:14 | 00,000,000 | ---D | C] -- C:\rsit
[2008.10.31 10:23:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Администратор\Application Data\Malwarebytes
[2008.10.31 10:22:59 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008.10.31 10:22:56 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008.10.31 10:22:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008.10.31 10:22:55 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008.10.31 10:01:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Документы\мои документы
[2008.10.31 08:15:02 | 00,010,174 | ---- | C] () -- C:\Documents and Settings\Администратор\Рабочий стол\Документ Microsoft Office Word.docx
[2008.10.31 07:25:05 | 00,069,614 | ---- | C] () -- C:\Documents and Settings\Администратор\Рабочий стол\audio.htm
[2008.10.31 05:33:15 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Администратор\Рабочий стол\HijackThis.lnk
[2008.10.31 04:34:19 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2008.10.31 04:34:18 | 00,042,912 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2008.10.31 04:34:17 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2008.10.31 04:34:16 | 00,094,392 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2008.10.31 04:34:15 | 00,094,416 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2008.10.31 04:34:15 | 00,093,264 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2008.10.31 04:34:15 | 00,078,416 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2008.10.31 04:34:15 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2008.10.31 04:34:03 | 01,163,960 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2008.10.31 04:34:03 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2008.10.31 04:34:01 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2008.10.31 02:34:52 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008.10.31 02:34:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008.10.30 06:55:20 | 00,000,000 | ---D | C] -- C:\$AVG8.VAULT$
[2008.10.30 05:05:18 | 27,321,964 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg(2)\incavi.avm
[2008.10.30 05:05:18 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg(2)\avi7.avg
[2008.10.30 05:05:18 | 00,211,986 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg(2)\miniavi.avg
[2008.10.30 05:05:18 | 00,106,501 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg(2)\microavi.avg
[2008.10.30 05:05:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg(2)
[2008.10.30 05:05:06 | 00,000,000 | ---D | C] -- C:\Program Files\AVG(2)
[2008.10.30 05:05:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8(2)
[2008.10.30 04:28:35 | 00,000,000 | ---D | C] -- C:\Program Files\The Cleaner Demo
[2008.10.30 04:24:38 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008.10.08 18:57:12 | 00,000,000 | ---D | C] -- C:\Program Files\EA GAMES
[2008.10.08 11:11:32 | 00,000,275 | ---- | C] () -- C:\Documents and Settings\Администратор\Рабочий стол\Ярлык для Локальный диск (D).lnk
[2008.10.08 10:46:46 | 00,000,792 | ---- | C] () -- C:\Documents and Settings\Администратор\Рабочий стол\Проигрыватель Windows Media.lnk
[2008.10.08 10:46:42 | 00,001,491 | ---- | C] () -- C:\Documents and Settings\Администратор\Рабочий стол\Косынка.lnk
[2008.10.08 08:58:48 | 00,000,000 | ---D | C] -- C:\Games

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2008.11.01 07:40:46 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Администратор\Рабочий стол\OTViewIt.exe
[2008.11.01 07:39:07 | 00,000,245 | ---- | M] () -- C:\WINDOWS\Msiosd.ini
[2008.11.01 07:36:46 | 00,000,698 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008.11.01 07:12:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008.11.01 07:12:03 | 00,081,191 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2008.11.01 07:11:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008.11.01 01:08:29 | 04,307,140 | -H-- | M] () -- C:\Documents and Settings\Администратор\Local Settings\Application Data\IconCache.db
[2008.10.31 09:54:54 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008.10.31 08:17:45 | 00,010,174 | ---- | M] () -- C:\Documents and Settings\Администратор\Рабочий стол\Документ Microsoft Office Word.docx
[2008.10.31 07:25:18 | 00,069,614 | ---- | M] () -- C:\Documents and Settings\Администратор\Рабочий стол\audio.htm
[2008.10.31 05:33:15 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Администратор\Рабочий стол\HijackThis.lnk
[2008.10.31 04:34:18 | 00,005,758 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2008.10.30 05:05:21 | 27,321,964 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg(2)\incavi.avm
[2008.10.30 05:05:18 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg(2)\avi7.avg
[2008.10.30 05:05:18 | 00,211,986 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg(2)\miniavi.avg
[2008.10.30 05:05:18 | 00,106,501 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg(2)\microavi.avg
[2008.10.22 16:10:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008.10.22 16:10:22 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008.10.10 20:46:13 | 00,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008.10.08 11:11:32 | 00,000,275 | ---- | M] () -- C:\Documents and Settings\Администратор\Рабочий стол\Ярлык для Локальный диск (D).lnk
< End of report >
 
Extras.txt
OTViewIt Extras logfile created on: 01.11.2008 7:41:32 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Администратор\Рабочий стол
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000419 | Country: Россия | Language: RUS | Date Format: dd.MM.yyyy

1023,48 Mb Total Physical Memory | 681,52 Mb Available Physical Memory | 66,59% Memory free
2,40 Gb Paging File | 2,16 Gb Available in Paging File | 89,64% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 60,50 Gb Free Space | 81,19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TYCOON-A36CE861
Current User Name: Администратор
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004.08.17 18:05:06 | 00,141,312 | ---- | M] (Корпорация Майкрософт) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004.08.17 18:05:06 | 00,141,312 | ---- | M] (Корпорация Майкрософт) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006.10.27 17:16:48 | 12,813,096 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000001 [TCP/IP] -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
NameSpace_Catalog5\Catalog_Entries\000000000003 [Пространство имен службы сетевого расположения (NLA)] -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000001 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000002 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000003 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000004 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000005 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000006 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000007 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000008 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000009 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000010 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9\Catalog_Entries\000000000011 -- C:\WINDOWS\system32\mswsock.dll (Корпорация Майкрософт)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:22 | 03,003,392 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\mshtml.dll (about:{3050F406-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML About Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (cdl:{3dd53d40-7b8b-11D0-b013-00aa0059ce02} (HKLM) [CDL: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:26 | 01,431,040 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\msvidctl.dll (dvd:{12D51199-0DB5-46FE-A120-47A3D7D937CC} (HKLM) [DVD: подключаемый протокол])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (file:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (ftp:{79eac9e3-baf9-11ce-8c82-00aa004ba90b} (HKLM) [ftp: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (gopher:{79eac9e4-baf9-11ce-8c82-00aa004ba90b} (HKLM) [gopher: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (http:{79eac9e2-baf9-11ce-8c82-00aa004ba90b} (HKLM) [http: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL http\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL http\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (https:{79eac9e5-baf9-11ce-8c82-00aa004ba90b} (HKLM) [https: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL https\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL https\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:22 | 03,003,392 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\mshtml.dll (javascript:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (local:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:22 | 03,003,392 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\mshtml.dll (mailto:{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Mailto Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll (mk:{79eac9e6-baf9-11ce-8c82-00aa004ba90b} (HKLM) [mk: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2006.10.26 20:49:46 | 01,011,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006.10.26 15:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:22 | 03,003,392 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\mshtml.dll (res:{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Resource Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:22 | 03,003,392 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\mshtml.dll (sysimage:{76E67A63-06E9-11D2-A840-006008059382} (HKLM) [Microsoft HTML Resource Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:26 | 01,431,040 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\msvidctl.dll (tv:{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} (HKLM) [ТВ: подключаемый протокол])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004.08.17 18:04:22 | 03,003,392 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\mshtml.dll (vbscript:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll Class Install Handler:{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} (HKLM) [AP Class Install Handler filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll deflate:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll gzip:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004.08.17 18:04:34 | 00,600,576 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\urlmon.dll lzdhtml:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004.08.17 18:04:30 | 08,401,408 | ---- | M] (Корпорация Майкрософт) C:\WINDOWS\system32\shell32.dll text/webviewhtml:{733AC4CB-F1A4-11d0-B951-00A0C90312E1} (HKLM) [WebView MIME Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006.10.26 23:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0208A7E3-0D30-11D4-A1FC-00508B9D1BA2}"=Office Keyboard
"{350C9419-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{4964CF58-9032-4BF0-96F8-B1ECFB238D9B}"=Barbie(tm) Салон красоты
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{80DB2577-43E3-4C34-00AF-0D7967B942C9}"=The Sims 2
"{90120000-0010-0419-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (Russian) 12
"{90120000-0011-0000-0000-0000000FF1CE}"=Microsoft Office Professional Plus 2007
"{90120000-0015-0419-0000-0000000FF1CE}"=Microsoft Office Access MUI (Russian) 2007
"{90120000-0016-0419-0000-0000000FF1CE}"=Microsoft Office Excel MUI (Russian) 2007
"{90120000-0018-0419-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (Russian) 2007
"{90120000-0019-0419-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (Russian) 2007
"{90120000-001A-0419-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (Russian) 2007
"{90120000-001B-0419-0000-0000000FF1CE}"=Microsoft Office Word MUI (Russian) 2007
"{90120000-001F-0407-0000-0000000FF1CE}"=Microsoft Office Proof (German) 2007
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0419-0000-0000000FF1CE}"=Microsoft Office Proof (Russian) 2007
"{90120000-001F-0422-0000-0000000FF1CE}"=Microsoft Office Proof (Ukrainian) 2007
"{90120000-002C-0419-0000-0000000FF1CE}"=Microsoft Office Proofing (Russian) 2007
"{90120000-0044-0419-0000-0000000FF1CE}"=Microsoft Office InfoPath MUI (Russian) 2007
"{90120000-006E-0419-0000-0000000FF1CE}"=Microsoft Office Shared MUI (Russian) 2007
"{A7894110-9C15-43EF-89E9-060363290188}"=Samsung PC Studio
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"{C4A4722E-79F9-417C-BD72-8D359A090C97}"=Samsung PC Studio
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}"=
"{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}"=Samsung PC Studio 3 USB Driver Installer
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}"=Realtek High Definition Audio Driver
"«Илья Муромец и Соловей-разбойник»_is1"=«Илья Муромец и Соловей-разбойник»
"102 Далматинца - Вокруг света"=102 Далматинца - Вокруг света
"avast!"=avast! Antivirus
"HijackThis"=HijackThis 2.0.2
"Indeo® software"=Indeo® software
"InstallShield_{4964CF58-9032-4BF0-96F8-B1ECFB238D9B}"=Barbie(tm) Салон красоты
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}"=QuickTime
"KLiteCodecPack_is1"=K-Lite Codec Pack 2.80 Full
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"NeroMultiInstaller!UninstallKey"=Nero Suite
"NVIDIA Drivers"=NVIDIA Drivers
"PPTP"=Розовая Пантера - Право на риск
"PROPLUS"=Microsoft Office Профессиональный плюс 2007
"SAMSUNG CDMA Modem"=SAMSUNG CDMA Modem Driver Set
"SAMSUNG Mobile USB Modem"=SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0"=SAMSUNG Mobile USB Modem 1.0 Software
"Stupid Invaders"=Stupid Invaders
"The Sims"=The Sims
"Vodafone 804SS USB driver"=Vodafone 804SS USB driver Software
"Губка Боб - Страсти-мордасти"=Губка Боб - Страсти-мордасти
"Отчаянные домохозяйки"=Отчаянные домохозяйки
"Рога и Копыта"=Рога и Копыта

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26.05.2008 7:07:12 | Computer Name = TYCOON-A36CE861 | Source = Application Hang | ID = 1002
Description = Зависшее приложение wmplayer.exe, версия 9.0.0.3250, зависший модуль
hungapp, версия 0.0.0.0, адрес 0x00000000.

Error - 05.06.2008 0:12:03 | Computer Name = TYCOON-A36CE861 | Source = Application Error | ID = 1000
Description = Ошибка приложения crimsonland.exe, версия 0.0.0.0, модуль , версия
0.0.0.0, адрес 0x00000000.

Error - 19.07.2008 10:56:33 | Computer Name = TYCOON-A36CE861 | Source = Application Error | ID = 1000
Description = Ошибка приложения wmplayer.exe, версия 9.0.0.3250, модуль ntdll.dll,
версия 5.1.2600.2180, адрес 0x00010f29.

Error - 24.07.2008 9:39:19 | Computer Name = TYCOON-A36CE861 | Source = SecurityCenter | ID = 1802
Description = Службе центра обеспечения безопасности Windows не удается установить
запросы событий с WMI для наблюдения за антивирусным средствам и брандмауэром посторонних
производителей.

Error - 30.09.2008 21:49:28 | Computer Name = TYCOON-A36CE861 | Source = SecurityCenter | ID = 1802
Description = Службе центра обеспечения безопасности Windows не удается установить
запросы событий с WMI для наблюдения за антивирусным средствам и брандмауэром посторонних
производителей.

Error - 08.10.2008 0:46:54 | Computer Name = TYCOON-A36CE861 | Source = Application Hang | ID = 1002
Description = Зависшее приложение run.exe, версия 0.0.0.0, зависший модуль hungapp,
версия 0.0.0.0, адрес 0x00000000.

Error - 08.10.2008 0:47:19 | Computer Name = TYCOON-A36CE861 | Source = Application Hang | ID = 1002
Description = Зависшее приложение run.exe, версия 0.0.0.0, зависший модуль hungapp,
версия 0.0.0.0, адрес 0x00000000.

Error - 08.10.2008 0:47:55 | Computer Name = TYCOON-A36CE861 | Source = Application Hang | ID = 1002
Description = Зависшее приложение run.exe, версия 0.0.0.0, зависший модуль hungapp,
версия 0.0.0.0, адрес 0x00000000.

Error - 08.10.2008 0:51:58 | Computer Name = TYCOON-A36CE861 | Source = Application Error | ID = 1000
Description = Ошибка приложения run.exe, версия 0.0.0.0, модуль run.exe, версия
0.0.0.0, адрес 0x00002d68.

Error - 08.10.2008 0:59:07 | Computer Name = TYCOON-A36CE861 | Source = Application Error | ID = 1000
Description = Ошибка приложения ts2bodyshop.exe, версия 1.0.0.999, модуль ts2bodyshop.exe,
версия 1.0.0.999, адрес 0x0000a313.

[ System Events ]
Error - 30.10.2008 17:07:46 | Computer Name = TYCOON-A36CE861 | Source = DCOM | ID = 10005
Description = Ошибка DCOM "%1084" при попытке запуска службы netman с аргументами
"" для запуска сервера: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 30.10.2008 18:07:51 | Computer Name = TYCOON-A36CE861 | Source = DCOM | ID = 10005
Description = Ошибка DCOM "%1084" при попытке запуска службы EventSystem с аргументами
"" для запуска сервера: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 30.10.2008 18:22:02 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 192.168.100.10 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 99.243.76.1 (DHCP-сервер отправил сообщение
DHCPNACK).

Error - 30.10.2008 20:31:57 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 99.243.92.136 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 0.0.0.0 (DHCP-сервер отправил сообщение DHCPNACK).

Error - 30.10.2008 20:32:34 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 192.168.100.10 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 99.243.76.1 (DHCP-сервер отправил сообщение
DHCPNACK).

Error - 30.10.2008 23:54:54 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 99.243.88.51 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 99.243.76.1 (DHCP-сервер отправил сообщение
DHCPNACK).

Error - 31.10.2008 0:48:11 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 99.243.92.191 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 0.0.0.0 (DHCP-сервер отправил сообщение DHCPNACK).

Error - 31.10.2008 0:48:42 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 192.168.100.10 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 99.243.76.1 (DHCP-сервер отправил сообщение
DHCPNACK).

Error - 31.10.2008 21:12:20 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 99.243.92.191 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 0.0.0.0 (DHCP-сервер отправил сообщение DHCPNACK).

Error - 31.10.2008 21:12:51 | Computer Name = TYCOON-A36CE861 | Source = Dhcp | ID = 1002
Description = Аренда IP-адреса 192.168.100.10 для сетевого адаптера с сетевым адресом
0019214F8E73 отклонена DHCP-сервером 99.243.76.1 (DHCP-сервер отправил сообщение
DHCPNACK).


< End of report >

HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:47, on 01.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apeha.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 4619 bytes
 
Hi

I do not see anything that does not look OK

How is the computer running now?
 
Hi, peku006.

The computer is running fine, so if you say that it's clean then I'll hook it up to the rest of the network.
Thank you very much for your help. It was very professional, clear, and punctual. You are doing a great deed volunteering to help like this! :bigthumb:

If I may ask, which one AV software (preferably free) would you recommend? Currently, this computer is using Avast!
 
Hi guitar_xe

Great that your machine is running better now, the scans are fine and it looks like your machine is clean :)

Avast is good choice.......

Time for some housekeeping

Next we remove all used tools.

Delete RSIT from your desktop, also delete this folder C:\rsit.

  • Double-click OTMoveIt3.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

    Re-enable system restore with instructions from tutorial above
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
    • Update your AntiVirus Software and keep your other programs up-to-date
      Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
      You can use one of these sites to check if any updates are needed for your pc.
      Secunia Software Inspector
      F-secure Health Check
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

      Malwarebytes' Anti-Malware Setup Guide

      Malwarebytes' Anti-Malware Scanning Guide
    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
You must log in or register to reply here.
Back
Top