View Full Version : Browser hijack !
kutuputu
2007-02-25, 01:14
Hello to all, i'm new here, keep up the good work.
When i'm in google or other search engine, click on link redirect me to another sites, like :
Robogold.biz, aicse.com etc...
I run a scan with avg antivirus, nothing. scan with : spycounter-nothing. spy sweeper-nothing. spy-bot - detect dns change and fixed but it's come again, i run also ATFcleaner also. i run avg antispyware, but it's a demo and want clean nothing, and also don't find nothing.
what to do
I run hijack in safe mode, and avg antivirus, here is the log of hijack after scaning with all software :
Logfile of HijackThis v1.99.1
Scan saved at 12:59:35, on 24/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - D:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe
Angelfire777
2007-02-25, 06:10
Hi, welcome to Safer Networking Forums!
i run avg antispyware, but it's a demo and want clean nothing, and also don't find nothing.
Although AVG Antispyware is only a demo, it does clean for free for all the infected items it can find. The only downside of having a demo version is that after a few days, you will lose the realtime monitoring feature.
Next time, please post a HijackThis log taken from normal mode.
__________
*Did you install a program called WinPcap?
*I see you are running 2 antivirus applications at the same time. Please uninstall your other antivirus and only keep 1. Not only will 2 or more AV's slow down your pc's performance but it reduces your overall system security at the same time. However, if you paid for those programs, I recommend that you disable one of them and only have one with realtime monitoring on. Use Add/Remove Programs in the Control Panel to uninstall the Antivirus that you don't want to keep.
*We need to temporarily disable Spybot's TeaTimer, it may stop our fix.
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
*You need To disable CounterSpy temporarily, it can stop our fix. Please Re-enable it after your system is clean.To disable CounterSpy:
Right Click on the CounterSpy Icon located in your system tray.
With your mouse, hover over Active Protection Status (This should be enabled)
A menu will slide out, then right click on Disable Active Protection
*We need to temporarily disable Spyware Terminator, it can stop our fix.
Open Spyware Terminator then Click on the "Real-time Protection" tab, leave the "Use Real-time Protection" checkbox empty and click on the "Save Changes" button.
Exit Spyware Terminator.
____________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
Did you use Spybot to add the following policies? If not, please fix them.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again. After your computer restarts, a notepad report will immediately open, please post all the contents of that report.
Finally, please post a fresh HijackThis log, along with the contents of the report.
kutuputu
2007-02-25, 10:36
Thank so much for your help !
I don't install software called "winpcad".
I disable "spybot, teat timer", and "spyterminatro", but process still remain in memory called : "sp_rsser.exe".
I Disable av.
I do scan and all above in normal mode like u said. here is the logs :
Logfile of HijackThis v1.99.1
Scan saved at 11:22:47, on 25/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\WINDOWS\System32\taskmgr.exe
D:\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
Search by size and names...
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM
Misc files
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM
Checking for older varients covered by the Rem3 tool
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Other suspects
Directory of D:\WINDOWS\system32
{7F962C6D-B350-443A-88EF-E2811E0605BB}.exe
THANKS AGAIN.
Angelfire777
2007-02-25, 10:48
Hi,
You ran an old version of fixwareout..Can you please delete your current copy then download a new one using one of the mirrors I posted then run it again then post the log..
kutuputu
2007-02-25, 11:23
Thanks for your help.
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
Prerun check
Service: "Windows Management Service" = D:\WINDOWS\System32\dmcpy.exe
System restarted
Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3C76E8DAEA75-65DA-2974-BCDA-0F5966EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}442585860F5C-B319-4454-7DF4-B5A30F5C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8FFB6638834D-E15A-A474-3AD8-2CCE4E4E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6E9EFD90C022-7D28-13E4-642D-DA7C82FB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DDB0A98D82F3-6EEA-B364-D329-7E0C59BE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}596D4D27FB1A-5E9B-A614-99EC-1967C429{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0DA1E7E8392B-531B-79A4-028D-88918829{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ypcmd" Deleted
....
Misc files.
D:\WINDOWS\system32\{7F962C6D-B350-443A-88EF-E2811E0605BB}.exe Deleted
D:\WINDOWS\System32\kernel32.exe Deleted
....
Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
Other
D:\WINDOWS\Temp\dmcpy.ren 57873 08/28/2002
Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"THGuard"="\"D:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
End report
Angelfire777
2007-02-25, 12:19
Please post a fresh HijackThis log:)
kutuputu
2007-02-25, 12:39
Here is the new log, in normal mode.
I've also problem when i'm in some secure sites and insert username and password, i get "page can't displayed" error. is this related to this malware problem ?
Here is the log :
Logfile of HijackThis v1.99.1
Scan saved at 13:35:50, on 25/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\WINDOWS\system32\spoolsv.exe
D:\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
Angelfire777
2007-02-26, 12:23
I've also problem when i'm in some secure sites and insert username and password, i get "page can't displayed" error. is this related to this malware problem ?
No, it is not but it is possible that there are other infections present in you machine..
__________________
*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.
WinPcap
Reboot.
__________________
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
Do not use it yet.
__________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
__________________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Using Windows Explorer, find and delete these files:
D:\WINDOWS\Temp\dmcpy.ren
*Delete the following folder:
C:\Program Files\WinPcap
Empty your Recycle bin.
___________________
*Important: Make sure all your browsers are closed before running ATF Cleaner..
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
Download ComboScan (http://www.techsupportforum.com/sectools/Deckard/comboscan.exe) to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
On your next reply, please include a fresh HijackThis log, AVG antispyware log and the contents of comboscan.txt and supplementary.txt
kutuputu
2007-02-27, 10:17
Hello, and thank you again for your support.
The logs are too long so i posted in 3 thread.
Some notes :
i can't change state to inactive resident shield - "demo version", guess i used ewido for 30 days.
i can't update so i download manually ful database, but when i run it on safe mode the line "last updat" - is never.
The service on hijack 023-"rpcapd"...keep on showing, he is not erase.
Still i don't apply for spywareterminator, and teatimer, they still disabled.
Here is the logs for hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 11:07:53, on 27/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\NOTEPAD.EXE
D:\WINDOWS\NOTEPAD.EXE
d:\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
kutuputu
2007-02-27, 10:21
Here is the log for avg antispyware and Supplementary :
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:45:09 27/02/2007
+ Scan result:
Here is the log for supplementary :
ComboScan v20070221.16 run by s on 2007-02-27 at 10:56:51
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------
-- System Information -----------------------------------------------------
Unable to create WMI object; error code: 0x8007042C
-- Security Center --------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
-- Environment Variables --------------------------------------------------------
ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\s\Application Data
CLASSPATH=D:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=S-V72WZ5LUCG5KB
ComSpec=D:\WINDOWS\system32\cmd.exe
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\s
LOGONSERVER=\\S-V72WZ5LUCG5KB
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\PROGRA~1\Multi;D:\Program Files\Common Files\Ulead Systems\MPEG;D:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\;D:\Program Files\Microsoft SQL Server\80\Tools\Binn\;;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;D:\Program Files\Pinnacle\Shared Files;D:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\s\LOCALS~1\Temp
TMP=D:\DOCUME~1\s\LOCALS~1\Temp
USERDOMAIN=S-V72WZ5LUCG5KB
USERNAME=s
USERPROFILE=D:\Documents and Settings\s
windir=D:\WINDOWS
-- User Profiles ----------------------------------------------------------------
s (admin)
Administrator.S-V72WZ5LUCG5KB (admin)
-- Add/Remove Programs --------------------------------------------------
--> "D:\Program Files\Creative\CTSetup\CTSetup.exe"
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6504C153-A24C-4C10-A5B6-FE5CEF9141D9}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
עסקית --> D:\WINDOWS\iun6002.exe "D:\Program Files\iskit\irunin.ini"
Acoustica Mixcraft --> D:\PROGRA~1\Acoustica Mixcraft\UNWISE.EXE D:\PROGRA~1\Acoustica Mixcraft\INSTALL.LOG
Adobe GoLive CS2 English --> msiexec /i {46548E80-0409-0000-7E8A-45000F855001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> D:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fD:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AnalogX SayIt --> D:\Program Files\AnalogX\SayIt\sayitu.exe
Arcade Balls v1.21 --> "D:\Program Files\Arcade Balls\unins000.exe"
Arcade! Classic Arcade Pack 5.0 --> D:\Program Files\Arcade!\uninst.exe
ArcSoft PhotoImpression --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E142615E-5ED8-4511-9BF0-0284BFA25766}\Setup.exe" -l0x9 -uninst
ArcSoft VideoImpression 1.6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ED10343F-D30A-4200-9B00-665FC45F52B4}\Setup.exe" -l0x9 -uninst
Art Plus Download Assistant --> "D:\Program Files\Common Files\Art Plus Uninstall\apuinst3.exe" "D:\Program Files\Common Files\Art Plus Uninstall\APDlAssist.ui3"
Audacity 1.3.2 (Unicode) --> "D:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
AVG 7.5 --> D:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BaktiNet v1.0c --> D:\PROGRA~1\BaktiNet\UNWISE.EXE D:\PROGRA~1\BaktiNet\INSTALL.LOG
Broderbund Media Manager --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{26346FB6-4F69-453D-95CE-B6BA3A5382F8}\setup.exe" -l0x9 AddRem
BSPlayer --> "c:\Program Files\Webteh\BSplayer\uninstall.exe"
CamStudio --> D:\Program Files\CamStudio\uninstall.exe
Canon Camera Support Core Library --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon Internet Library for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A}
Canon MovieEdit Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1 --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "D:\Program Files\CCleaner\uninst.exe"
Chronotron Plug-in for Winamp/WMP 9 (remove only) --> "D:\Program Files\Chronotron Inc\Chronotron\uninst-chronotron.exe"
CIF USB CAMERA --> D:\WINDOWS\CleanDev.exe D:\WINDOWS\DC3110.txt
Corel Painter Essentials 3 --> MsiExec.exe /I{0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
Cubemaster Gold v4.3 --> D:\WINDOWS\iun6002.exe "D:\Program Files\Cubemaster Gold\irunin.ini"
Decks v1.20 --> c:\decks\Uninstal.exe
DeepBurner v1.8.0.224 --> "D:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "D:\Program Files\Astonsoft\DeepBurner\install.log"
DiamondCS APM --> d:\APM\uninstal.exe
Direct Show Ogg Vorbis Filter (remove only) --> "D:\WINDOWS\System32\OggDSuninst.exe"
DVD Photo Slideshow Pro 7.50 --> D:\Program Files\DVD Photo Slideshow Professional\uninst.exe
EasyCleaner --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
ExtractNow --> "c:\Program Files\ExtractNow\unins000.exe"
Faber Toys --> "D:\Program Files\Faber Toys\unins000.exe"
Fatman Adventures --> "D:\Program Files\Another Day\Fatman Adventures\unins000.exe"
Flash Saving Plugin --> "D:\Program Files\UnH Solutions\Flash Saving Plugin\unins000.exe"
FlaX --> D:\Program Files\Goldshell\fxuninst.exe
Free History Eraser --> "D:\Program Files\Free History Eraser\unins000.exe"
HijackThis 1.99.1 --> D:\HijackThis.exe /uninstall
Hypersonic 1.1.1 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\HYPERS~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\HYPERS~1\INSTALL.LOG
IconPackager --> D:\PROGRA~1\Stardock\Object Desktop\IconPackager\iconpackager.exe /uninstallwise
ICQ 5.1 --> c:\Program Files\ICQLite\ICQLiteUninstall.EXE
ICQ Toolbar --> regsvr32 /u /s "C:\program files\ICQToolbar\toolbaru.dll"
InstallRTC --> MsiExec.exe /X{200F584F-848D-4B6B-B1A1-C74D735F18A4}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
JavaScript Utility Suite v1.0 --> "D:\Program Files\JavaScript Utility Suite\unins000.exe"
jetAudio Basic --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly
JetPhoto Studio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{228D34A5-D186-495E-9DED-70A6CAB68B02}\setup.exe" -l0x9 -removeonly
jv16 PowerTools 1.4.1 --> "D:\Program Files\jv16 PowerTools\unins000.exe"
K-Lite Mega Codec Pack 1.37 --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
Kerio Personal Firewall 2.1.4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{51C8741C-4A91-42A6-B6A2-CB891F7398A1}\Setup.exe" -removeall
Lexmark X1100 Series --> D:\WINDOWS\System32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LimeWire 4.12.6 --> "D:\Program Files\LimeWire\uninstall.exe"
Live 6.0.3 --> D:\PROGRA~1\Ableton\Live 6.0.3\Install\UNWISE.EXE D:\PROGRA~1\Ableton\Live 6.0.3\Install\INSTALL.LOG
LQfix 2.1 --> "D:\WINDOWS\LQfix\unins000.exe"
Macromedia Director MX 2004 --> D:\PROGRA~1\Macromedia\Director MX 2004\UNWISE.EXE D:\PROGRA~1\Macromedia\Director MX 2004\install.log
Macromedia Dreamweaver MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX 2004 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> D:\WINDOWS\System32\Macromed\Flash\UninstFl.exe
Mario Forever v 2.16 ! --> C:\Buziol Games\Mario Forever\UnMario.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{000104E7-78E1-11D2-B60F-006097C998E7}
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{9084040D-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{9011040D-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{9085040D-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection D:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Midnite Motel 1.0 --> "D:\Program Files\MidniteMotel\unins000.exe"
Movie Maker Background Music Files --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
Mp3divider v0.9.1.8 --> "D:\Program Files\Mp3divider\uninstall.exe"
MSN Messenger 7.5 --> MsiExec.exe /I{DBB48ED2-03EC-11DA-BFBD-00065BBDC0B5}
Natto-Cat --> MsiExec.exe /I{21A99D22-12D2-4F03-B97E-8BD2C9891F61}
Network Password Recovery --> D:\WINDOWS\zipinst.exe /uninst "D:\Program Files\Network Password Recovery\uninst1~.nsu"
Outlook Express Q823353 --> D:\WINDOWS\oeuninst.exe D:\WINDOWS\INF\Q823353.inf
Oversight System Sentinel Demo --> MsiExec.exe /I{18BDFC02-DFB5-4E2A-B99B-80F94D2A2E21}
PACE System Files --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{28F58CDE-6241-4B11-8232-6A5D4FB06E8B}\Setup.exe" -l0x9 FromUninstall
Pacmania 3 --> c:\Program Files\Alawar\Pacmania 3\uninstal.exe
PC Camera (6009 CIF) --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5B3028F-6845-48A6-A46E-77A716B57537}\Setup.exe" -l0x9
PhotoFiltre --> "D:\Program Files\PhotoFiltre\Uninst.exe"
PictureViewer .EXE 1.1.0.227 --> "D:\Program Files\PictureViewer .EXE\unins000.exe"
Polyphonic Wizard v4 --> D:\PROGRA~1\Coding Workshop Polyphonic Wizard\UNWISE.EXE D:\PROGRA~1\Coding Workshop Polyphonic Wizard\INSTALL.LOG
QuickTime --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\Intel 32\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RegAlyzer 1.4 --> "D:\Program Files\Safer Networking\RegAlyzer\unins000.exe"
Riva FLV Encoder 2.0 --> "D:\Program Files\Riva\Riva FLV Encoder 2.0\unins000.exe"
Save Flash 3.0 --> D:\Program Files\Save Flash\uninst.exe
Security Task Manager 1.6e --> D:\Program Files\Security Task Manager\Uninstal.exe "D:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Serif PhotoPlus 6.0 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Shockwave --> D:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE D:\WINDOWS\system32\Macromed\Shockwave 8\Install.log
Smart Link 56K Voice Modem --> D:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Snood for Windows version 3.52-W --> "D:\Program Files\Snood\unins000.exe"
Sony ACID XPress 5.0a --> MsiExec.exe /X{12F4BE69-6614-41D3-BB3B-DF7F921DF2BB}
Sothink SWF Decompiler --> "D:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
Sound Blaster PCI128 Drivers --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{509291FD-CFC8-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9 /remove
Sports Car GT Demo --> D:\PROGRA~1\Electronic Arts\Sports Car GT Demo\UNWISE.EXE D:\PROGRA~1\Electronic Arts\Sports Car GT Demo\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator --> "D:\Program Files\Spyware Terminator\unins000.exe"
SpywareBlaster v3.5.1 --> "D:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWF To Image --> "D:\Program Files\SWF To Image\unins000.exe"
SWiSHmax --> D:\WINDOWS\unvise32.exe D:\Program Files\SWiSHmax\uninstal.log
Switch Uninstall --> D:\Program Files\NCH Swift Sound\Switch\uninst.exe
Tenant --> D:\WINDOWS\uninst.exe -f"D:\Program Files\Tenant\Tenant\DeIsL1.isu" -c"D:\Program Files\Tenant\Tenant\_ISREG32.DLL"
Terragen --> MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
The Print Shop --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}\setup.exe" -l0x9 anything
TightVNC 1.2.9 --> "D:\Program Files\TightVNC\unins000.exe"
Total Recorder 6.0 --> "D:\Program Files\HighCriteria\TotalRecorder\setup.exe" U
Total Sokoban --> "C:\Program Files\SuperSoft\Total Sokoban\uninstall.exe"
Transcribe! 7.40 --> "D:\Program Files\Transcribe!\unins000.exe"
TrojanHunter 4.6 --> "D:\Program Files\TrojanHunter 4.6\unins000.exe"
TweakNow RegCleaner --> "D:\Program Files\TweakNow RegCleaner\unins000.exe"
UnderCoverXP 1.10 --> "D:\Program Files\UnderCoverXP\unins000.exe"
Vertrix 2 --> D:\Program Files\Vertrix 2\SXUNINST.EXE
Virtual DJ - Atomix Productions --> D:\PROGRA~1\VirtualDJ\UNWISE.EXE D:\PROGRA~1\VirtualDJ\INSTALL.LOG
Vmule Kazaa Lite --> MsiExec.exe /I{7AD5B901-00B5-4518-8A97-77720FA7B780}
VNC Free Edition 4.1.2 --> "D:\Program Files\RealVNC\VNC4\unins000.exe"
WavePad Uninstall --> D:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Registry Guide 2003 --> "D:\Program Files\WinGuides\unins000.exe"
Windows XP Creativity Fun Packs - Windows Movie Maker 2 --> MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
Windows XP Winter Fun Pack for Windows Movie Maker 2 --> MsiExec.exe /I{FFC5C6DA-6BC0-47C1-9EC0-8E1A1294E4F7}
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
WinUHA 2.0 RC1 (2005.02.27) --> "D:\Program Files\WinUHA\unins000.exe"
Xara Webstyle 4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E7C036E2-C7E4-4964-9BDA-81973341930E}\setup.exe" -l0x9
Xara3D6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B3783869-5D14-4838-A042-910DF816D070}\setup.exe" -l0x9
-- End of ComboScan: finished at 2007-02-27 at 11:01:48 -------------------------
kutuputu
2007-02-27, 10:28
Part 1 :
ComboScan v20070221.16 run by s on 2007-02-27 at 10:56:51
Computer is in Normal Mode.
--------------------------------------------------------------------------
Unable to create System Restore WMI object; error code: 0x8007042C
Performed disk cleanup.
-- HijackThis (run as s.exe) ----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:00:53, on 27/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
d:\comboscan.exe
D:\s.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
kutuputu
2007-02-27, 10:30
Part 2 :
-- HijackThis Fixed Entries (D:\\backups\) --------------------------------------
backup-20050426-055602-307 R3 - Default URLSearchHook is missing
backup-20050426-055602-843 O2 - BHO: (no name) - {FBE3AE8E-846C-3C23-32A7-FA6D9D56AC87} - D:\WINDOWS\atlzw.dll
backup-20050426-235007-993 O4 - HKCU\..\RunOnce: [Winsock2 driver] MMNGR32.EXE
backup-20050430-053928-870 O23 - Service: Port Reporter (PortReporter) - Unknown owner - D:\Program Files\PortReporter\portreporter.exe
backup-20050430-053928-937 O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
backup-20050430-135256-712 R3 - Default URLSearchHook is missing
backup-20050430-135256-737 O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - D:\PROGRA~1\Virtual Maid\Virtual Maid.dll
backup-20050430-135256-957 O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
backup-20050430-142724-165 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
backup-20050430-142724-176 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-200 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-232 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-258 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
backup-20050430-142724-350 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
backup-20050430-142724-463 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-474 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
backup-20050430-142724-581 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-709 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-716 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
backup-20050430-142724-749 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
backup-20050430-142724-802 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-848 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
backup-20050430-142724-955 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
backup-20050430-144748-943 O23 - Service: Port Reporter (PortReporter) - Unknown owner - D:\Program Files\PortReporter\portreporter.exe
backup-20050502-114136-161 O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
backup-20050502-114136-167 O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE
backup-20050502-114136-300 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http:///
backup-20050502-114136-345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
backup-20050502-114136-445 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
backup-20050502-114136-498 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20050502-114136-554 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\nntco.dll/sp.html#37049
backup-20050502-114136-565 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
backup-20050502-114136-740 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
backup-20050502-114136-915 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108834461855
backup-20050502-114137-696 O23 - Service: Port Reporter (PortReporter) - Unknown owner - D:\Program Files\PortReporter\portreporter.exe (file missing)
backup-20050504-015957-119 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.down.co.il
backup-20050504-044237-266 O4 - HKLM\..\Run: [WinampAgent] c:\1\Winamp\winampa.exe
backup-20050504-044237-636 O4 - HKLM\..\Run: [Startup Manager Scanner] D:\Program Files\Startup Mechanic\StartupMonitor.exe
backup-20060204-193041-229 O23 - Service: Win32Sr - Unknown owner - D:\WINDOWS\win32ssr.exe
backup-20060623-021853-436 O4 - HKLM\..\Run: [hgqhp.exe] D:\WINDOWS\System32\hgqhp.exe
backup-20060623-021853-851 O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
backup-20060623-021924-231 O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
backup-20060716-004503-204 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060716-004503-460 O4 - HKLM\..\Run: [gquzg.exe] D:\WINDOWS\System32\gquzg.exe
backup-20060716-004503-681 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060716-004503-856 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
backup-20060716-004504-109 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-115 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-158 O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-248 O17 - HKLM\System\CCS\Services\Tcpip\..\{EB2E38DA-03EF-409E-B6B8-DD59370A1351}: NameServer = 85.255.115.52,85.255.112.85
backup-20060716-004504-269 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20060716-004504-447 O17 - HKLM\System\CCS\Services\Tcpip\..\{FACDDB33-645D-4D8B-B2BD-287103037707}: NameServer = 85.255.115.52,85.255.112.85
backup-20060716-004504-532 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-981 O17 - HKLM\System\CCS\Services\Tcpip\..\{745AF652-3421-41D0-8696-D9D11E1642C4}: NameServer = 85.255.115.52,85.255.112.85
backup-20061121-082814-195 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.not.co.il/%s
backup-20061129-043214-271 O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
backup-20070220-125936-274 O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe
backup-20070220-130000-810 O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\System32\PSIService.exe
backup-20070220-150955-414 O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe
backup-20070220-150955-634 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20070223-193608-829 O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
backup-20070223-193609-284 O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Goop2/launcher.cab
backup-20070223-193610-307 O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.photo-kahana.co.il/XUpload.ocx
backup-20070223-193610-899 O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
backup-20070223-193611-475 O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
backup-20070223-193611-698 O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20070223-193611-701 O17 - HKLM\System\CCS\Services\Tcpip\..\{745AF652-3421-41D0-8696-D9D11E1642C4}: NameServer = 85.255.115.58,85.255.112.67
backup-20070223-193611-968 O17 - HKLM\System\CCS\Services\Tcpip\..\{EB2E38DA-03EF-409E-B6B8-DD59370A1351}: NameServer = 85.255.115.58,85.255.112.67
backup-20070223-212959-545 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070223-212959-586 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070225-111124-334 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070225-111124-654 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070225-111124-671 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070225-111124-863 O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
backup-20070225-111125-134 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
backup-20070225-111125-141 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
backup-20070225-111125-298 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20070225-111125-358 O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
backup-20070225-111125-561 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
backup-20070225-111125-600 O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
backup-20070225-111125-821 O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
backup-20070226-232713-399 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20070226-235909-403 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
kutuputu
2007-02-27, 10:31
Part 3 :
-- File Associations ------------------------------------------------------------
.bat - batfile - "%1" %*
.chm - chm.file - "D:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------
3 3dfxvs - System32\DRIVERS\3dfxvsm.sys (not found)
1 ASPI32 - System32\drivers\aspi32.sys (not found)
1 AVG Anti-Spyware Driver - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 Avg7Core (AVG7 Kernel) - D:\WINDOWS\system32\drivers\avg7core.sys
1 Avg7RsW (AVG7 Wrap Driver) - D:\WINDOWS\system32\drivers\avg7rsw.sys
1 Avg7RsXP (AVG7 Resident Driver XP) - D:\WINDOWS\system32\drivers\avg7rsxp.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys (not found)
1 AvgClean (AVG7 Clean Driver) - D:\WINDOWS\system32\drivers\avgclean.sys
2 AvgTdi (AVG Network Redirector) - D:\WINDOWS\system32\drivers\avgtdi.sys
3 basic2 - System32\DRIVERS\HSF_BSC2.sys (not found)
3 CCDECODE (Closed Caption Decoder) - System32\DRIVERS\CCDECODE.sys (not found)
3 CIF USB CAMERA Service (CIF USB CAMERA) - System32\DRIVERS\pfc027.sys (not found)
3 EverestDriver (Lavalys EVEREST Kernel Driver) - C:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt
2 Fallback - System32\DRIVERS\HSF_FALL.sys (not found)
2 Fsks - System32\DRIVERS\HSF_FSKS.sys (not found)
1 fwdrv (Kerio Personal Firewall Driver) - system32\Drivers\fwdrv.sys (not found)
2 GYNOQKJX - D:\WINDOWS\System32\gynoqkjx.isf (not found)
3 hsf_msft - System32\DRIVERS\HSF_MSFT.sys (not found)
2 IYMMHNPO - D:\WINDOWS\System32\iymmhnpo.xhy (not found)
2 K56 - System32\DRIVERS\HSF_K56K.sys (not found)
3 LVCap138 (LifeView LR138 Capture Driver) - System32\DRIVERS\lvcap138.sys (not found)
3 lvtuner (LifeView WDM TV Tuner) - System32\DRIVERS\lvtuner.sys (not found)
3 LVUSBSta (Logitech USB Monitor Filter) - System32\DRIVERS\LVUSBSta.sys (not found)
3 MarvinBus (Pinnacle Marvin Bus) - System32\DRIVERS\MarvinBus.sys (not found)
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys (not found)
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys (not found)
3 Mtlmnt5 - System32\DRIVERS\SLDRV\Mtlmnt5.sys (not found)
3 Mtlstrm - System32\DRIVERS\SLDRV\Mtlstrm.sys (not found)
3 NABTSFEC (NABTS/FEC VBI Codec) - System32\DRIVERS\NABTSFEC.sys (not found)
3 NdisIP (Microsoft TV/Video Connection) - System32\DRIVERS\NdisIP.sys (not found)
3 nm (Network Monitor Driver) - System32\DRIVERS\NMnt.sys (not found)
3 NPF (NetGroup Packet Filter Driver) - system32\drivers\npf.sys (not found)
3 NtApm (NT Apm/Legacy Interface Driver) - System32\DRIVERS\NtApm.sys (not found)
1 PCLEPCI - D:\WINDOWS\system32\drivers\Pclepci.sys
2 PfModNT - D:\WINDOWS\system32\PFMODNT.SYS
3 PID_0928 (Logitech QuickCam Express(PID_0928)) - System32\DRIVERS\LV561AV.SYS (not found)
0 PxHelp20 - System32\DRIVERS\PxHelp20.sys (not found)
0 RecAgent - System32\DRIVERS\SLDRV\RecAgent.sys (not found)
3 Rksample - System32\DRIVERS\HSF_SAMP.sys (not found)
3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - System32\DRIVERS\RTL8139.SYS (not found)
1 SASDIFSV - D:\Program Files\SUPERAntiSpyware\sasdifsv.sys
3 SASENUM - D:\Program Files\SUPERAntiSpyware\SASENUM.SYS
1 SASKUTIL - D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
3 sbpci (SB PCI Family Audio Driver (WDM)) - system32\drivers\sbpci.sys (not found)
3 SLIP (BDA Slip De-Framer) - System32\DRIVERS\SLIP.sys (not found)
3 Slntamr (SmartLink AMR_PCI Driver) - System32\DRIVERS\SLDRV\slntamr.sys (not found)
3 SlNtHal - System32\DRIVERS\SLDRV\Slnthal.sys (not found)
3 SlWdmSup - System32\DRIVERS\SLDRV\SlWdmSup.sys (not found)
3 SNCP106 (PC Camera (6009 CIF)) - System32\DRIVERS\sncp106.sys (not found)
2 SoftFax - System32\DRIVERS\HSF_FAXX.sys (not found)
1 sp_rsdrv2 (Spyware Terminator Driver 2) - D:\WINDOWS\system32\drivers\sp_rsdrv2.sys
3 streamip (BDA IPSink) - System32\DRIVERS\StreamIP.sys (not found)
2 SVKP - D:\WINDOWS\system32\SVKP.sys
3 SYMIDSCO - D:\PROGRA~1\COMMON~1\Symantec Shared\SymcData\ids-diskless\20060710.095\symidsco.sys (not found)
3 tj2knd5 (Terayon Cable Modem (NDIS)) - System32\DRIVERS\tj2knd5.sys (not found)
3 tj2kunic (Terayon Cable Modem (WDM)) - System32\DRIVERS\tj2kunic.sys (not found)
2 Tones - System32\DRIVERS\HSF_TONE.sys (not found)
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys (not found)
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys (not found)
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys (not found)
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS (not found)
2 V124 - System32\DRIVERS\HSF_V124.sys (not found)
0 viaagp (VIA AGP Bus Filter) - System32\DRIVERS\viaagp.sys (not found)
4 Voodoo3 - System32\DRIVERS\Voodoo3.sys (not found)
4 WS2IFSL (סביבת תמיכה של ספק שירות Windows Socket 2.0 Non-IFS) - D:\WINDOWS\system32\drivers\ws2ifsl.sys
3 WSTCODEC (World Standard Teletext Codec) - System32\DRIVERS\WSTCODEC.SYS (not found)
2 WXEINNFJ - D:\WINDOWS\System32\wxeinnfj.who (not found)
kutuputu
2007-02-27, 10:36
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
4 Adobe LM Service - "D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
4 Alerter - %SystemRoot%\System32\svchost.exe -k LocalService
3 ALG (Application Layer Gateway Service) - %SystemRoot%\System32\alg.exe
3 AppMgmt (Application Management) - %SystemRoot%\system32\svchost.exe -k netsvcs
3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2 AudioSrv (Windows Audio) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 AVG Anti-Spyware Guard - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 Avg7Alrt (AVG7 Alert Manager Server) - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2 Avg7UpdSvc (AVG7 Update Service) - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2 AVGEMS (AVG E-mail Scanner) - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
4 BITS (Background Intelligent Transfer Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 Browser (Computer Browser) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 CiSvc (Indexing Service) - %SystemRoot%\system32\cisvc.exe
3 ClipSrv (ClipBook) - %SystemRoot%\system32\clipsrv.exe
3 COMSysApp (COM+ System Application) - D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2 CryptSvc (Cryptographic Services) - %SystemRoot%\system32\svchost.exe -k netsvcs
2 Dhcp (DHCP Client) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 dmadmin (Logical Disk Manager Administrative Service) - %SystemRoot%\System32\dmadmin.exe /com
2 dmserver (Logical Disk Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 Dnscache (DNS Client) - %SystemRoot%\System32\svchost.exe -k NetworkService
4 ERSvc (Error Reporting Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 Eventlog (Event Log) - %SystemRoot%\system32\services.exe
4 EventSystem (COM+ Event System) - D:\WINDOWS\System32\svchost.exe -k netsvcs
3 FastUserSwitchingCompatibility (Fast User Switching Compatibility) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 helpsvc (Help and Support) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 HidServ (Human Interface Device Access) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 IDriverT (InstallDriver Table Manager) - "D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3 ImapiService (IMAPI CD-Burning COM Service) - D:\WINDOWS\System32\imapi.exe
2 lanmanworkstation (Workstation) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 LexBceS (LexBce Server) - D:\WINDOWS\system32\LEXBCES.EXE
2 LmHosts (TCP/IP NetBIOS Helper) - %SystemRoot%\System32\svchost.exe -k LocalService
3 Macromedia Licensing Service - "D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
4 MDM (Machine Debug Manager) - "D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
4 Messenger - %SystemRoot%\System32\svchost.exe -k netsvcs
4 mnmsrvc (NetMeeting Remote Desktop Sharing) - D:\WINDOWS\System32\mnmsrvc.exe
3 MSDTC (Distributed Transaction Coordinator) - D:\WINDOWS\System32\msdtc.exe
3 MSIServer (Windows Installer) - D:\WINDOWS\System32\msiexec.exe /V
3 NetDDE (Network DDE) - %SystemRoot%\system32\netdde.exe
3 NetDDEdsdm (Network DDE DSDM) - %SystemRoot%\system32\netdde.exe
3 Netlogon (Net Logon) - %SystemRoot%\System32\lsass.exe
3 Netman (Network Connections) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 Nla (Network Location Awareness (NLA)) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 NtLmSsp (NT LM Security Support Provider) - %SystemRoot%\System32\lsass.exe
3 NtmsSvc (Removable Storage) - %SystemRoot%\system32\svchost.exe -k netsvcs
3 ose (Office Source Engine) - D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2 PersFw (Kerio Personal Firewall) - D:\Program Files\Kerio\Personal Firewall\persfw.exe
2 PlugPlay (Plug and Play) - %SystemRoot%\system32\services.exe
2 PolicyAgent (IPSEC Services) - %SystemRoot%\System32\lsass.exe
2 ProtectedStorage (Protected Storage) - %SystemRoot%\system32\lsass.exe
4 ProtexisLicensing - D:\WINDOWS\System32\PSIService.exe
3 RasAuto (Remote Access Auto Connection Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 RasMan (Remote Access Connection Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 RDSessMgr (Remote Desktop Help Session Manager) - D:\WINDOWS\system32\sessmgr.exe
4 RemoteAccess (Routing and Remote Access) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 RemoteRegistry (Remote Registry) - %SystemRoot%\system32\svchost.exe -k LocalService
3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"
3 RpcLocator (Remote Procedure Call (RPC) Locator) - %SystemRoot%\System32\locator.exe
2 RpcSs (Remote Procedure Call (RPC)) - %SystemRoot%\system32\svchost -k rpcss
3 RSVP (QoS RSVP) - %SystemRoot%\System32\rsvp.exe
2 SamSs (Security Accounts Manager) - %SystemRoot%\system32\lsass.exe
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
3 SCardSvr (Smart Card) - %SystemRoot%\System32\SCardSvr.exe
4 Schedule (Task Scheduler) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 seclogon (Secondary Logon) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 SENS (System Event Notification) - %SystemRoot%\system32\svchost.exe -k netsvcs
4 SharedAccess (Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 ShellHWDetection (Shell Hardware Detection) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 SLService (SmartLinkService) - slmdmsr.exe
2 Spooler (Print Spooler) - %SystemRoot%\system32\spoolsv.exe
2 sp_rssrv (Spyware Terminator Realtime Shield Service) - D:\Program Files\Spyware Terminator\sp_rsser.exe
4 srservice (System Restore Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 SSDPSRV (SSDP Discovery Service) - %SystemRoot%\System32\svchost.exe -k LocalService
2 stisvc (Windows Image Acquisition (WIA)) - %SystemRoot%\System32\svchost.exe -k imgsvc
3 SwPrv (MS Software Shadow Copy Provider) - D:\WINDOWS\System32\dllhost.exe /Processid:{EFB03FCD-4298-45F4-A28F-EB6FA262C95A}
3 SysmonLog (Performance Logs and Alerts) - %SystemRoot%\system32\smlogsvc.exe
3 TapiSrv (Telephony) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 TermService (Terminal Services) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 Themes - %SystemRoot%\System32\svchost.exe -k netsvcs
4 TlntSvr (Telnet) - D:\WINDOWS\System32\tlntsvr.exe
4 TrkWks (Distributed Link Tracking Client) - %SystemRoot%\system32\svchost.exe -k netsvcs
2 UMWdf (Windows User Mode Driver Framework) - D:\WINDOWS\System32\wdfmgr.exe
4 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 upnphost (Universal Plug and Play Device Host) - %SystemRoot%\System32\svchost.exe -k LocalService
3 UPS (Uninterruptible Power Supply) - %SystemRoot%\System32\ups.exe
3 VSS (Volume Shadow Copy) - %SystemRoot%\System32\vssvc.exe
4 W32Time (Windows Time) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 WebClient - %SystemRoot%\System32\svchost.exe -k LocalService
2 winmgmt (Windows Management Instrumentation) - %systemroot%\system32\svchost.exe -k netsvcs
4 WmdmPmSN (Portable Media Serial Number Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 Wmi (Windows Management Instrumentation Driver Extensions) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 WmiApSrv (WMI Performance Adapter) - D:\WINDOWS\System32\wbem\wmiapsrv.exe
4 wuauserv (Automatic Updates) - %systemroot%\system32\svchost.exe -k netsvcs
4 WZCSVC (Wireless Zero Configuration) - %SystemRoot%\System32\svchost.exe -k netsvcs
kutuputu
2007-02-27, 10:37
-- Files created between 2007-01-27 and 2007-02-27 ------------------------------
2007-02-27 11:00:25 218112 --a------ D:\s.exe
2007-02-26 23:52:14 3968 --a------ D:\WINDOWS\System32\drivers\AvgAsCln.sys
2007-02-26 23:47:58 8491297 --a------ D:\avgas-signatures-full-current.exe
2007-02-26 23:39:07 229251 --a------ D:\avgas-signatures-current.exe
2007-02-26 21:20:47 452280 --a------ D:\comboscan.exe
2007-02-25 13:10:14 311296 --a------ D:\WINDOWS\System32\cdintf.dll
2007-02-25 13:10:06 212480 -----n--- D:\WINDOWS\System32\PCDLIB32.DLL
2007-02-25 13:10:06 855552 --a------ D:\WINDOWS\System32\Ltwvc12n.dll
2007-02-25 13:10:06 35328 --a------ D:\WINDOWS\System32\lttwn12n.dll
2007-02-25 13:10:06 388608 --a------ D:\WINDOWS\System32\ltkrn12n.dll
2007-02-25 13:10:06 165888 --a------ D:\WINDOWS\System32\ltimg12n.dll
2007-02-25 13:10:06 149504 --a------ D:\WINDOWS\System32\Lfpng12n.dll
2007-02-25 13:10:06 26624 --a------ D:\WINDOWS\System32\lfpcx12n.dll
2007-02-25 13:10:06 36352 --a------ D:\WINDOWS\System32\lfgif12n.dll
2007-02-25 13:10:05 130048 --a------ D:\WINDOWS\System32\ltfil12n.DLL
2007-02-25 13:10:05 207872 --a------ D:\WINDOWS\System32\ltefx12n.dll
2007-02-25 13:10:05 258560 --a------ D:\WINDOWS\System32\LTDIS12n.dll
2007-02-25 13:10:05 49664 --a------ D:\WINDOWS\System32\Lfwmf12n.dll
2007-02-25 13:10:05 141824 --a------ D:\WINDOWS\System32\lftif12n.dll
2007-02-25 13:10:05 20992 --a------ D:\WINDOWS\System32\lftga12n.dll
2007-02-25 13:10:05 36864 --a------ D:\WINDOWS\System32\lfpsd12n.dll
2007-02-25 13:10:05 19968 --a------ D:\WINDOWS\System32\lfpcd12n.dll
2007-02-25 13:10:05 19968 --a------ D:\WINDOWS\System32\lfitg12n.dll
2007-02-25 13:10:05 38912 --a------ D:\WINDOWS\System32\lfflc12n.dll
2007-02-25 13:10:05 341504 --a------ D:\WINDOWS\System32\LFCMP12n.DLL
2007-02-25 13:10:05 30720 --a------ D:\WINDOWS\System32\lfbmp12n.dll
2007-02-25 12:50:59 0 d-------- D:\Projects
2007-02-25 12:50:59 0 d-------- D:\Libs
2007-02-24 21:39:18 0 d-------- D:\Documents and Settings\s\Application Data\TrojanHunter
2007-02-24 20:01:58 0 d-------- D:\Program Files\TrojanHunter 4.6
2007-02-24 00:17:05 2062665 --a------ D:\spywareguardsetup.exe
2007-02-24 00:05:58 2566736 --a------ D:\spywareblastersetup351.exe
2007-02-24 00:01:41 0 d-------- D:\hosts
2007-02-23 21:07:47 0 d-------- D:\Documents and Settings\s\Application Data\F-Secure
2007-02-23 20:48:14 0 d-------- D:\Program Files\Oversight System Sentinel Demo
2007-02-23 20:45:59 0 d-------- D:\Program Files\F-Secure
2007-02-23 20:44:31 0 d-------- D:\Documents and Settings\All Users\Application Data\fssg
2007-02-23 20:35:00 67984152 --a------ D:\fs2007.exe
2007-02-23 20:21:48 23552 --a------ D:\MsnVirRem.exe
2007-02-23 20:21:02 51134 --a------ D:\combofix.exe
2007-02-23 17:24:40 0 d-------- D:\Program Files\Safer Networking
2007-02-23 16:31:41 5037072 --a------ D:\spybotsd14.exe
2007-02-23 16:30:14 898816 --a------ D:\regalyz.exe
2007-02-23 10:51:43 2794488 --a------ D:\spynomore.exe
2007-02-23 00:34:51 5743392 --a------ D:\SUPERAntiSpyware.exe
2007-02-22 23:42:56 50688 --a------ D:\ATF-Cleaner.exe
2007-02-22 23:39:18 1914 --a------ D:\WINDOWS\System32\tmp.reg
2007-02-22 23:38:13 79360 --a------ D:\WINDOWS\System32\swxcacls.exe
2007-02-22 23:38:13 40960 --a------ D:\WINDOWS\System32\swsc.exe
2007-02-22 23:38:13 288417 --a------ D:\WINDOWS\System32\SrchSTS.exe
2007-02-22 23:38:13 51200 --a------ D:\WINDOWS\System32\dumphive.exe
2007-02-22 23:38:12 135168 --a------ D:\WINDOWS\System32\swreg.exe
2007-02-22 23:38:12 53248 --a------ D:\WINDOWS\System32\Process.exe
2007-02-22 23:38:04 0 d-------- D:\SmitfraudFix
2007-02-22 21:39:23 0 d-------- D:\Documents and Settings\Administrator.******\Application Data\Spyware Terminator
2007-02-21 20:42:33 135936 --a------ D:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2007-02-21 20:42:33 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Spyware Terminator
2007-02-21 20:38:01 0 d-------- D:\Documents and Settings\s\Application Data\Spyware Terminator
2007-02-21 20:38:01 0 d-------- D:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-02-21 20:37:53 0 d-------- D:\Program Files\Spyware Terminator
2007-02-21 20:23:56 0 d-------- D:\Documents and Settings\s\Application Data\AVG7
2007-02-21 20:12:13 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-02-21 20:12:03 4960 --a------ D:\WINDOWS\System32\drivers\avgtdi.sys
2007-02-21 20:12:03 18432 --a------ D:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-21 20:12:03 3968 --a------ D:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 20:12:01 27776 --a------ D:\WINDOWS\System32\drivers\avg7rsxp.sys
2007-02-21 20:12:01 4224 --a------ D:\WINDOWS\System32\drivers\avg7rsw.sys
2007-02-21 20:11:56 839936 --a------ D:\WINDOWS\System32\drivers\avg7core.sys
2007-02-21 20:11:36 0 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2007-02-21 09:00:14 19170000 --a------ D:\avg75free_441a944.exe
2007-02-21 08:45:10 737625 --a------ D:\SmitfraudFix.exe
2007-02-20 16:22:32 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-02-20 16:21:35 0 d-------- D:\Program Files\SUPERAntiSpyware
2007-02-20 16:21:35 0 d-------- D:\Documents and Settings\s\Application Data\SUPERAntiSpyware.com
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\zts2.exe
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\System32\vcmgcd32.dll
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\System32\iifgfgf.dll
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\rundll16.exe
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\rundl132.dll
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\logo1_.exe
2007-02-20 16:00:51 128512 --a------ D:\WINDOWS\System32\T.COM
2007-02-20 16:00:50 128512 --a------ D:\WINDOWS\System32\TASKMGR.COM
2007-02-20 16:00:50 134144 --a------ D:\WINDOWS\REGEDIT.COM
2007-02-20 16:00:50 134144 --a------ D:\WINDOWS\R.COM
2007-02-20 15:40:55 0 d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2007-02-17 16:42:54 0 d-------- D:\Documents and Settings\s\Application Data\Apple Computer
2007-02-13 23:58:15 286720 -----n--- D:\WINDOWS\Setup1.exe
2007-02-13 23:57:51 0 d-------- D:\mister
2007-02-13 23:52:21 648351 --a------ D:\decks v1.exe
2007-02-13 23:45:40 0 d-------- D:\Program Files\NovaDSP
2007-02-13 23:45:28 1274779 --a------ D:\rifflite_setup.exe
2007-02-13 17:06:32 0 d-------- D:\Program Files\Transcribe!
2007-02-13 17:06:07 1455232 --a------ D:\xscsetup.exe
2007-02-13 16:58:07 0 d-------- D:\Program Files\AnalogX
2007-02-13 16:57:57 220569 --a------ D:\sayiti.exe
2007-02-13 16:47:18 0 d-------- D:\Program Files\d-lusion
2007-02-13 16:45:06 0 d-------- D:\Documents and Settings\s\Application Data\Cycling '74
2007-02-13 16:44:32 0 d-------- D:\AVdrum 021
2007-02-13 16:30:38 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Messenger_5.0.0482
2007-02-13 16:28:03 2211840 --a------ D:\dreamstation.exe
2007-02-13 16:24:21 0 d-------- D:\at2
2007-02-12 15:35:19 111397872 --a------ D:\acidpro60c-trial_enu.exe
2007-02-12 15:18:48 38122608 --a------ D:\acidxpress50a.exe
2007-02-06 09:02:28 0 --a------ D:\WINDOWS\System32\intr32.dll
2007-02-05 23:44:47 0 d-------- D:\GDT3
2007-02-05 23:32:15 107520 --a------ D:\Scratch_Me.exe
2007-02-05 23:28:02 1242112 --a------ D:\WINDOWS\SPT-667.exe
2007-02-05 23:28:02 26712 --a------ D:\WINDOWS\dmetmsf.dat
2007-02-05 23:28:02 14392 --a------ D:\WINDOWS\dmetmsa.dat
2007-02-05 23:28:02 92728 --a------ D:\WINDOWS\dmet.dat
2007-02-05 23:27:48 1242112 --a------ D:\SPT-667.exe
2007-02-05 23:22:03 3504975 --a------ D:\plsmst30.exe
2007-02-03 18:00:23 10452638 --a------ D:\movie_morpher_gold_cnt.exe
2007-02-03 17:29:51 0 d-------- D:\2xex1412
2007-02-03 17:17:24 0 d-------- D:\Program Files\Alwil Software
2007-02-03 17:08:57 12099848 --a------ D:\setupeng.exe
2007-02-03 17:08:24 0 d-------- D:\Program Files\ToniArts
2007-02-03 17:04:49 2951802 --a------ D:\EClea2_0.exe
2007-02-02 20:19:26 0 d-------- D:\Program Files\Liatro
2007-02-02 18:30:02 0 d-------- D:\frenzy
2007-02-02 18:25:06 0 d-------- D:\toubou
2007-02-02 10:24:54 348160 --a------ D:\WINDOWS\System32\MSVCR71.DLL
2007-02-02 10:24:53 499712 --a------ D:\WINDOWS\System32\MSVCP71.DLL
2007-02-02 10:24:51 1060864 --a------ D:\WINDOWS\System32\MFC71.DLL
2007-02-02 10:22:26 89088 --a------ D:\WINDOWS\System32\atl71.dll
2007-02-02 10:13:52 33340 --a------ D:\WINDOWS\System32\dbmsqlgc.dll
2007-02-02 10:13:52 24576 --a------ D:\WINDOWS\System32\dbmsgnet.dll
2007-02-02 10:10:23 765952 -----n--- D:\WINDOWS\System32\msvcp71d.dll
2007-02-02 10:10:20 544768 -----n--- D:\WINDOWS\System32\msvcr71d.dll
2007-02-02 09:38:59 0 d-------- D:\SmartSound Software
2007-02-02 09:34:07 171008 --a------ D:\WINDOWS\System32\drivers\MarvinBus.sys
2007-02-02 09:31:46 57344 --a------ D:\WINDOWS\System32\MFC71ENU.DLL
2007-02-02 09:12:59 0 d-------- D:\Program Files\Common Files\Download Manager
2007-02-01 01:16:31 0 d-------- D:\Program Files\Windows Media Bonus Pack for Windows XP
2007-02-01 01:14:59 6 --a------ D:\Documents and Settings\s\Application Data\mmrpzlic.dat
2007-01-31 19:16:44 0 d-------- D:\Program Files\Temp
2007-01-31 19:00:56 220 ---hs---- D:\WINDOWS\dwin.sys
2007-01-31 19:00:38 0 d-------- D:\Program Files\TM2V2
2007-01-31 17:19:37 0 d-------- D:\MySlideshow
2007-01-31 14:50:27 0 d-------- D:\Program Files\DVD Photo Slideshow Professional
2007-01-31 14:43:25 0 d-------- D:\Program Files\Slideshow pro
2007-01-31 14:39:53 0 d-------- D:\Program Files\mresreg
2007-01-30 07:20:02 16384 --a------ D:\WINDOWS\System32\FileOps.exe
2007-01-30 07:20:01 0 d-------- D:\WINDOWS\System32\Adobe
2007-01-30 00:07:59 0 d-------- D:\icetemplates.com_free006_ecommerce
2007-01-30 00:06:07 0 d-------- D:\sample_osc
2007-01-29 12:54:27 0 d-------- D:\Program Files\Popims
2007-01-28 13:51:44 0 d-------- D:\Documents and Settings\s\Application Data\Sony
2007-01-28 13:50:08 12580696 --a------ D:\mm20enu.exe
2007-01-28 13:23:15 69556081 --a------ D:\moviestudio60b-trial_enu.exe
2007-01-28 01:40:25 0 d-------- D:\logos1
2007-01-27 17:47:25 0 d-------- D:\template53
2007-01-27 13:14:40 0 d-------- D:\template64
2007-01-27 13:14:10 0 d-------- D:\template49
-- Find3M Report ----------------------------------------------------------------
2007-02-26 23:52:06 0 d-------- D:\Program Files\Grisoft
2007-02-25 13:10:05 0 d-------- D:\Program Files\Common Files\Broderbund
2007-02-25 13:10:04 0 d--h----- D:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-25 13:09:28 0 d-------- D:\Program Files\Web Publish
2007-02-25 13:04:33 0 d-------- D:\Program Files\Broderbund
2007-02-25 12:13:56 494582 --a------ D:\Fixwareout.exe
2007-02-24 22:08:49 0 d-------- D:\Program Files\SpywareGuard
2007-02-24 00:08:09 0 d-------- D:\Program Files\SpywareBlaster
2007-02-20 16:20:30 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-20 15:38:43 0 d-------- D:\Documents and Settings\s\Application Data\Adobe
2007-02-20 15:38:11 0 d-------- D:\Program Files\VirtualDJ
2007-02-20 15:37:29 0 d-------- D:\Program Files\Common Files\Adobe
2007-02-20 15:37:18 0 d-------- D:\Program Files\Art Plus
2007-02-20 15:37:16 0 d-------- D:\Program Files\Corel
2007-02-16 21:17:10 0 d-------- D:\Documents and Settings\s\Application Data\Ableton
2007-02-16 21:14:23 0 d-------- D:\Program Files\Ableton
2007-02-16 03:09:14 0 d-------- D:\Documents and Settings\s\Application Data\Audacity
2007-02-15 13:25:10 0 d-------- D:\Documents and Settings\s\Application Data\Domain Name Analyzer Pro v4.0
2007-02-13 15:56:53 0 d-------- D:\Program Files\Lexmark X1100 Series
2007-02-12 21:31:00 0 d-------- D:\Program Files\Sony
2007-02-12 21:26:42 0 d-------- D:\Program Files\Sony Setup
2007-02-04 17:54:01 0 d-------- D:\Program Files\Smoke Attack 2<SMOKEA~2>
2007-02-04 09:19:35 0 d-------- D:\Program Files\Show.kit 2.1
2007-02-03 20:31:01 0 d-------- D:\Program Files\Morpheus
2007-02-03 17:12:59 0 d-------- D:\Program Files\Amara - Flash Intro and Banner Builder
2007-02-03 17:10:00 0 d-------- D:\Program Files\Jasc Software Inc
2007-02-03 16:58:07 0 d-------- D:\Program Files\IncrediMail
2007-02-02 11:07:26 0 d-------- D:\Program Files\Pinnacle
2007-02-02 10:55:36 1852 --a------ D:\WINDOWS\System32\d3d9caps.dat
2007-01-28 13:51:28 0 d-------- D:\Program Files\Movie Maker<MOVIEM~1>
2007-01-26 23:49:23 0 d-------- D:\Program Files\Windows Media Components
2007-01-26 23:47:58 0 d-------- D:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-01-26 23:43:35 141606188 --a------ D:\uvs10_tbyb_(e)_na.exe
2007-01-23 15:22:19 0 d-------- D:\Program Files\Shockwave.com
2007-01-21 14:39:18 4704 --ahs---- D:\WINDOWS\System32\KGyGaAvL.sys
2007-01-21 14:04:09 0 d-------- D:\Documents and Settings\s\Application Data\Corel
2007-01-21 14:03:09 88 -r-hs---- D:\WINDOWS\System32\84C07846D1.sys
2007-01-21 12:57:35 0 d---s---- D:\Documents and Settings\s\Application Data\Microsoft<MICROS~1>
2007-01-17 18:45:31 0 d-------- D:\Documents and Settings\s\Application Data\Softnik Technologies
2007-01-17 17:07:35 0 d-------- D:\Program Files\Softnik Technologies
2007-01-15 17:20:53 56 -r-hs---- D:\WINDOWS\System32\D14678C084.sys
2007-01-15 12:54:32 0 d-------- D:\Program Files\Common Files\Adobe Systems Shared
2007-01-08 09:28:06 0 d-------- D:\Program Files\CoffeeCup Software
2007-01-08 09:10:13 6458671 --a------ D:\CoffeeFormBuilder50.exe
2007-01-07 23:05:09 18481128 --a------ D:\Babylon6_setup_heb_eng_heb_oxford.exe
2007-01-05 19:15:30 0 d-------- D:\Documents and Settings\s\Application Data\Macromedia<MACROM~1>
2007-01-05 19:11:32 0 d-------- D:\Program Files\Common Files\SourceTec
2007-01-05 19:11:28 0 d-------- D:\Program Files\SourceTec
2007-01-05 19:05:07 0 d-------- D:\Program Files\DComSoft
2007-01-05 19:04:46 1360574 --a------ D:\SWF Picture Extractor.exe
2007-01-04 12:26:38 5292032 --a------ D:\MixVibes6demo.exe
2006-12-30 22:47:46 0 d-------- D:\Program Files\SpacialAudio
2006-12-30 13:44:11 0 d-------- D:\Program Files\Acoustica Mixcraft
2006-12-27 12:16:04 0 d-------- D:\Program Files\Microsoft.NET
2006-12-21 12:54:53 10083348 --a------ D:\WebSmartzTrialEdition.EXE
2006-12-20 03:38:31 131584 --a------ D:\WINDOWS\System32\SpoonUninstall.exe
2006-12-20 03:38:24 749568 --a------ D:\WINDOWS\System32\swfgen.dll
2006-12-09 16:01:36 6538503 --a------ D:\3drecg2.exe
2006-12-08 02:11:49 4469879 --a------ D:\amarafibb.exe
2006-11-28 19:56:18 1740 --a------ D:\WINDOWS\System32\d3d8caps.dat
-- Registry Dump ----------------------------------------------------------------
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"THGuard"="\"D:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"="D:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Babylon Client"="D:\\Program Files\\Babylon\\Babylon-Pro\\Babylon.exe -AutoStart"
"Lexmark X1100 Series"="\"D:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^s^Start Menu^Programs^Startup^Netvision Cable Connect.url]
"backup"="D:\\WINDOWS\\pss\\Netvision Cable Connect.urlStartup"
"location"="Startup"
"item"="Netvision Cable Connect"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=dword:00000003
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"="NSIS Media Extension"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
-- End of ComboScan: finished at 2007-02-27 at 11:01:48 -------------------------
Angelfire777
2007-02-28, 11:45
Hi,
You seem to have been reinfected by wareout..
*You need To disable Trojan Hunter temporarily, it can stop our fix. Please Re-enable it after your system is clean.
Before we start please go to TrojanHunter Guard in the lower right corner of your screen. It is a lightblue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select "Settings." Uncheck "Load at Startup" and "Enabled". Make sure that the program, TrojanHunter itself, is also closed/not running.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
____________________
*You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again. After your computer restarts, a notepad report will immediately open, please post all the contents of that report.
*Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category, otherwise double click on Network Connections.
Then right click on your default connection, usually Local Area Connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next go to Start > Run > type cmd and hit OK
type ipconfig /flushdns
then hit enter, type exit hit enter.
(that space between g and / is needed)
Finally, please post a fresh HijackThis log, along with the contents of the report.
kutuputu
2007-02-28, 14:20
Thak again for your help.
Log of hijack this :
Logfile of HijackThis v1.99.1
Scan saved at 15:00:27, on 28/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
Log of Fixwareout :
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
Prerun check
System restarted
Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
Misc files.
....
Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
Other
Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
End report
Angelfire777
2007-03-01, 12:19
*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.
a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT
b.) After creating the folder, find your HijackThis.exe . Then,cut nad paste that file to the new folder you created.
_______________
Download this file (http://users.telenet.be/marcvn/regfiles/HSfix.zip) and unzip it to your desktop
Download About:Buster from here (http://www.malwarebytes.org/AboutBuster.zip). Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet.
Download CWShredder from here (http://www.intermute.com/spysubtract/cwshredder_download.html), install it, check for updates but again, don't use it yet.
_______________
You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.
*Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.
*Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.
Reboot to normal mode.
I also noticed that your AVG Antispyware log was not posted correctly..You only posted the first part of the log then it was cut off..On your next reply, please post a fresh HijackThis log, AVG Antispyware log and the aboutbuster log.
kutuputu
2007-03-01, 21:22
Thanks again.
My redirections is fixed, and i don't have any hijack...
I install again IE6, and now i can connect to secure sites.
Continue doing the fix process ?
I open the REG files that u told me to add to the registery, and some of the lines was "jibrish"...still ok to add it ?
Angelfire777
2007-03-02, 14:47
Hi,
Yes please continue with the instructions:)
kutuputu
2007-03-05, 23:23
Hello angelfire, and thank again for your help.
it's was a delay.
I have to ask u, it's ok to add the reg file because parts of the reg file are full of "jibrish".
It's ok to add ?
Angelfire777
2007-03-06, 08:48
Yes it's ok to add :)
kutuputu
2007-03-06, 10:25
Hello angelfire, here it's the logs.
Antispyware log :
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 13:37:11 03/03/2007
+ Scan result:
D:\Program Files\Oversight System Sentinel Demo\help.chm -> Adware.AntiAwarePro : Ignored.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Ignored.
D:\backups\backup-20070225-111125-358.dll -> Adware.I2ISolutions : Ignored.
D:\backups\backup-20070225-111125-600.dll -> Adware.I2ISolutions : Ignored.
D:\1\mailpv.zip/mailpv.exe -> Not-A-Virus.PSWTool.Win32.MailPassView.130 : Ignored.
D:\1\mspass.zip/mspass.exe -> Not-A-Virus.PSWTool.Win32.Messen.106 : Ignored.
D:\Documents and Settings\s\Cookies\s@burstnet[2].txt -> TrackingCookie.Burstnet : Ignored.
D:\Documents and Settings\s\Cookies\s@www.burstnet[1].txt -> TrackingCookie.Burstnet : Ignored.
D:\Documents and Settings\s\Cookies\s@com[1].txt -> TrackingCookie.Com : Ignored.
D:\Documents and Settings\s\Cookies\s@tacoda[2].txt -> TrackingCookie.Tacoda : Ignored.
D:\Documents and Settings\s\Cookies\s@web-stat[2].txt -> TrackingCookie.Web-stat : Ignored.
D:\Documents and Settings\s\Cookies\s@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Ignored.
D:\1\pspv.zip/pspv.exe -> Trojan.IcqSmiley.e : Ignored.
::Report end
hijackthis log :
Logfile of HijackThis v1.99.1
Scan saved at 11:19:40, on 06/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Documents and Settings\s\Desktop\hjt\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 194.90.1.5 212.143.212.143
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
aboubuster log :
AboutBuster 6.06
Scan started on [06/03/2007] at [11:06:30]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! D:\WINDOWS\Rhododendron.bmp:vyllhj
Removed Stream! D:\WINDOWS\_default.pif:almsnr
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:12:59
Angelfire777
2007-03-07, 14:11
Hi,
We have exams tomorrow so I'll have to study first. I'll have something for you by friday :)
Angelfire777
2007-03-09, 14:01
Hi, sorry for the delay..
Your AVG Antispyware log showed that it didn't clean anything at all..
Please reboot your machine to safe mode.
While in safe mode, have HijackThis fix check these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
Close HijackThis.
then,
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delservices2.bat in the File name and save it to your desktop.
@echo off
sc stop rpcapd
sc delete rpcapd
Locate delservices2.bat on your Desktop and double-click on it.
*Using Windows Explorer, find and delete these files:
D:\s.exe
D:\WINDOWS\zts2.exe
D:\WINDOWS\System32\vcmgcd32.dll
D:\WINDOWS\System32\iifgfgf.dll
D:\WINDOWS\rundll16.exe
D:\WINDOWS\rundl132.dll
D:\WINDOWS\logo1_.exe
D:\WINDOWS\System32\T.COM
D:\WINDOWS\System32\TASKMGR.COM
D:\WINDOWS\REGEDIT.COM
D:\WINDOWS\R.COM
D:\WINDOWS\System32\intr32.dll
Empty your Recyle bin.
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Close notepad. Make sure that all windows are closed.
Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.
_______________
Could you please run AVG Antispyware again while still in safe mode and make sure you hit the "apply all actions" button first before the "save report" button.
Reboot to normal mode.
*Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
*I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
D:\WINDOWS\System32\gynoqkjx.isf
Then click submit.
do the same for this file: D:\WINDOWS\System32\iymmhnpo.xhy
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log and the AVG Antispyware log, results of the jotti scan and a description on how your machine is running.
kutuputu
2007-03-10, 14:32
Hello angelfire, thanks for your help.
Here is logs of HIJACKTHIS and SDFIX, and notes about my computer.
HIJACKTHIS LOG :
Logfile of HijackThis v1.99.1
Scan saved at 15:10:10, on 10/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Documents and Settings\s\Desktop\hjt\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
SDFIX LOG :
SDFix: Version 1.70
Run by s - Sat 03/10/2007 / 14:37:28.94
Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix
Safe Mode:
Checking Services:
Name:
SVKP
Path:
\??\D:\WINDOWS\System32\SVKP.sys
SVKP Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
D:\WINDOWS\system32\SVKP.SYS - Deleted
ADS Check:
D:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\system.exe"="c:\\system.exe:*:Enabled:system"
Remaining Files:
---------------
Backups Folder: - D:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
D:\Documents and Settings\s\NetHood\clients - www.gi-israel.com\Desktop.ini
D:\icetemplates.com_free006_ecommerce\icetemplates.com_free006_ecommerce\html\images\Thumbs.db
D:\dkjrxp\dataness\cncs32.dll
D:\WINDOWS\system32\avisynth.dll
D:\WINDOWS\system32\AVSredirect.dll
D:\WINDOWS\system32\cygwin1.dll
D:\WINDOWS\system32\cygz.dll
D:\WINDOWS\system32\i420vfw.dll
D:\WINDOWS\system32\Smab.dll
D:\WINDOWS\system32\yv12vfw.dll
D:\Documents and Settings\s\Desktop\BUMPY.EXE
D:\simcity\simcity\SIM.EXE
D:\tj\tj\TJ.EXE
D:\WINDOWS\meta4.exe
D:\WINDOWS\MOTA113.exe
D:\WINDOWS\x2.64.exe
D:\WINDOWS\system32\x.264.exe
D:\Documents and Settings\All Users\Application Data\13.sys
D:\WINDOWS\dwin.sys
D:\WINDOWS\system32\84C07846D1.sys
D:\WINDOWS\system32\D14678C084.sys
D:\WINDOWS\system32\KGyGaAvL.sys
D:\Documents and Settings\s\Application Data\Microsoft\Templates\~WRL3971.tmp
D:\Documents and Settings\s\Application Data\Microsoft\Word\~WRL0004.tmp
Finished
Personal about my computer :
- I didn't find this files, they only appear by foldr, not by file here is the files :
ZTS2.EXE VCMGCD32.DLL IIFGFGF.DLL RUNDLL16.EXE RUNDLL132.DLL LOGO1_EXE ** I delete all this folder names.
- the batch command of delete a service i get ERROR here is the detail :
"Sc - CONTROLSERVICE FAILED : 1062"
- When i go to normal mode, spybot detect a change from "explorer.exe" to "Explorer.exe" i apply to this change.
- i didn't the files - gynoqkjx.isf and iymmhnpo.xhy
- for avg antispyware - i didn't run, i think my 30 days get on, i download the update database from the site, but in safe mode it's says "never update".
- When i run hijackthis first time in normal mode to do the log i get something with an :
"UNEXPETECT ERROR 05......" i proceed to the scan and the log.
- my automatic update service set to auto, i disable it.
- After sdfix was loaded and finished, i press enter to the reboot, the system reboot, and i go out not staying near the computer i didn't press enter, and when i comeback windows was already loaded, it's ok right ?
Thanks so much for your help !!!
kutuputu
2007-03-10, 14:36
EDIT :
- I didn't find this files, they only appear by foldr name, not by file here is the files : Example : ZTS2.EXE (folder)
ZTS2.EXE VCMGCD32.DLL IIFGFGF.DLL RUNDLL16.EXE RUNDLL132.DLL LOGO1_EXE ** I delete all this folder names, and all this folders was empty, all others files was founded and delete.
- i didn't find the files - gynoqkjx.isf and iymmhnpo.xhy
Spyware terminator and spybot was disabled.
Angelfire777
2007-03-11, 00:55
When i go to normal mode, spybot detect a change from "explorer.exe" to "Explorer.exe" i apply to this change.
I'm not sure what that means as explorer.exe and Explorer.exe are the same files...Can you elaborate further on this?
for avg antispyware - i didn't run, i think my 30 days get on, i download the update database from the site, but in safe mode it's says "never update".
That's alright if you can't update in Safe mode because you can't connect to the internet..Even though your 30 days are over, you can still use the on-demand scanner..I want you to please scan with it again in Safe mode and make sure you hit the "apply all actions" button first before the "save report" button.
my automatic update service set to auto, i disable it.
Is it Aitomatic Windows Updates you're talking about? If so, why did you disable it?
After sdfix was loaded and finished, i press enter to the reboot, the system reboot, and i go out not staying near the computer i didn't press enter, and when i comeback windows was already loaded, it's ok right ?
It's odd but it ran ok.
________________
After you scan with AVG Antispyware in safe mode, reboot to normal mode.
Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
c:\system.exe
Then click submit.
Do the same for this file: D:\Documents and Settings\All Users\Application Data\13.sys
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
_________________
download RegSearch Tool (http://www.xs4all.nl/~fstaal01/regsearch-us.html) by Bobbi Flekman
1. Unzip it to your desktop
2. Double-click on regsearch.exe, and search for this:
Remote Packet Capture Protocol v.0
3. It may take a while to run, so be patient. When finished, the search results will appear in your text editor
On your next reply, please include a fresh HijackThis log, AVG antispyware log, results of the jotti scan and the results of the regsearch.
kutuputu
2007-03-11, 08:40
Hello again angelfire. thanks for your help. here is the logs :
Log of hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 09:33:19, on 11/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\s\Desktop\regsearch.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\s\Desktop\hjt\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 194.90.1.5 212.143.212.143
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
Log of regsearch :
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.2.0
; Results at 11/03/2007 09:28:24 for strings:
; 'remote packet capture protocol v.0'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd]
"DisplayName"="Remote Packet Capture Protocol v.0 (experimental)"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rpcapd]
"DisplayName"="Remote Packet Capture Protocol v.0 (experimental)"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd]
"DisplayName"="Remote Packet Capture Protocol v.0 (experimental)"
; End Of The Log...
Log of Jotti :
Find nothing. the file system.exe i don't find it. ( it's show all files include hidden ).
- My surf is little slow.
- Automatic update - need a validation my windows xp it's from my another computer...
- And about avg antispyware, i download file manauly the full data base in normal mode, and install it, but when i run, it's says : never update.
Thanks.
Angelfire777
2007-03-11, 09:02
*We need to temporarily disable Spyware Terminator, it can stop our fix.
Open Spyware Terminator then Click on the "Real-time Protection" tab, leave the "Use Real-time Protection" checkbox empty and click on the "Save Changes" button.
Exit Spyware Terminator.
*You need To disable Spyware Guard temporarily, it can stop our fix. Please Re-enable it after your system is clean.
1.Right-click on the SG icon in your System Tray and SpywareGuard should open.
2.Click "Options" and then uncheck these options under the "General" tab:
Enable Real-Time Scanning
Enable Download Protection
Enable Browser Hijack Protection
3.Click "Save Settings."
*We need to temporarily disable Spybot's TeaTimer, it may stop our fix.
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
______________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix2.reg in the File name and save it to your desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rpcapd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Close notepad. Make sure that all windows are closed.
Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.
_______________________
Next, don't mind the updates anymore. Just do the AVG Antispyware scan again in Safe Mode.
Reboot to normal mode after the scan then post a fresh HijackThis log and the AVG Antispyware log and tell me how's it running.
kutuputu
2007-03-11, 11:51
Hello again. i don't understand :
All Files[/b]".
Type fix2.reg in the File name and save it to your desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rpcapd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Close notepad. Make sure that all windows are closed.
Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.
_______________________
.
Double click on fix.reg that we created before ? or double click on fix2.reg that we created now ?
Thanks for your help.
Angelfire777
2007-03-11, 13:10
Double click the fix2.reg that we created just now. Sorry for the confusion:red:
kutuputu
2007-03-11, 20:38
Hello angelfire, and thanks for your help, you the best.
Here is the log for hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 21:18:23, on 11/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\SpywareGuard\sgmain.exe
D:\Documents and Settings\s\Desktop\hjt\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
And the log for avg antispyware :
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 21:12:26 11/03/2007
+ Scan result:
D:\Program Files\Oversight System Sentinel Demo\help.chm -> Adware.AntiAwarePro : Ignored.
D:\Documents and Settings\s\Desktop\hjt\backups\backup-20070310-125217-506.dll -> Adware.I2ISolutions : Ignored.
D:\backups\backup-20070225-111125-358.dll -> Adware.I2ISolutions : Ignored.
D:\backups\backup-20070225-111125-600.dll -> Adware.I2ISolutions : Ignored.
D:\1\mailpv.zip/mailpv.exe -> Not-A-Virus.PSWTool.Win32.MailPassView.130 : Ignored.
D:\1\mspass.zip/mspass.exe -> Not-A-Virus.PSWTool.Win32.Messen.106 : Ignored.
D:\Documents and Settings\s\Cookies\s@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
D:\Documents and Settings\s\Cookies\s@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\GAMES\pspv.zip/pspv.exe -> Trojan.IcqSmiley.e : Cleaned with backup (quarantined).
C:\WINSET98\WIN98_46.CAB/notepad.exe -> Worm.Volag.c : Cleaned with backup (quarantined).
::Report end
I have some questions, if that ok :
- When i do the process, i disable Teatimer of spybot, but when i setup again do enable, he denied the changes based on previous selection of mine, how i set it to enable this selection ? here is the 2 denied changes :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
so for now, TEATIMER is disable.
- The code REGEDIT4, after the last line i press ENTER for setup a blank line, it's ok ? and there 1 line space between "REGEDIT4" and the reg lines, it's ok ?
- I forget to say, that i have double boot. drive c - is win98 and drive d - is windows xp, it's ok yes ?
I'm waiting for your pro and quicker answer from you, about the report and the questions, YOU ARE THE BEST ! :)
a
Angelfire777
2007-03-12, 12:08
Hi,
well what do you know, the stubborn O23 is now gone :)
I have some questions, if that ok :
Sure.
When i do the process, i disable Teatimer of spybot, but when i setup again do enable, he denied the changes based on previous selection of mine, how i set it to enable this selection ? here is the 2 denied changes :
I'm not very familiar with Teatimer but I think you can set teatimer to just allow the changes made..
The code REGEDIT4, after the last line i press ENTER for setup a blank line, it's ok ? and there 1 line space between "REGEDIT4" and the reg lines, it's ok ?
Yes what you did is right.
I forget to say, that i have double boot. drive c - is win98 and drive d - is windows xp, it's ok yes ?
Yeah it's perfectly ok.
*Using Windows Explorer, find and delete these files:
D:\Program Files\Oversight System Sentinel Demo\help.chm
D:\backups\backup-20070225-111125-358.dll
D:\backups\backup-20070225-111125-600.dll
D:\1\mailpv.zip
D:\1\mspass.zip
Empty your recycle bin.
Reboot.
On your next reply, please post a fresh HijackThis log and a description on how your machine is running.
kutuputu
2007-03-12, 22:40
Hello angelfire, my computer seems to run fine, programs get up faster, and in general it's OK.
But i wanted to know what to do about teatimer, should i leave it Disable ? and spyware terminator do the same job...? not ?
Because if i enable it, he denied the changes, and keep up this lines :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
It's ok and safe to enable it and leave this two lines ?
And another question, it's safe and ok to change my home page to Google ?
Here is the log of hijackthis : ( Hope it's ok with you, so many logs... :red: )
Logfile of HijackThis v1.99.1
Scan saved at 23:26:21, on 12/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Documents and Settings\s\Desktop\hjt\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
Some notes :
Thanks so much for be Logfile of HijackThis v1.99.1
Scan saved at 23:26:21, on 12/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Documents and Settings\s\Desktop\hjt\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
Some notes :
Thanks you for being patient. Keep up your good work. :bigthumb:
Angelfire777
2007-03-13, 13:48
Hi,
You're welcome :)
**We need to temporarily disable Spyware Terminator, it can stop our fix.
Open Spyware Terminator then Click on the "Real-time Protection" tab, leave the "Use Real-time Protection" checkbox empty and click on the "Save Changes" button.
Exit Spyware Terminator.
*You need To disable Spyware Guard temporarily, it can stop our fix. Please Re-enable it after your system is clean.
1.Right-click on the SG icon in your System Tray and SpywareGuard should open.
2.Click "Options" and then uncheck these options under the "General" tab:
Enable Real-Time Scanning
Enable Download Protection
Enable Browser Hijack Protection
3.Click "Save Settings."
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
But i wanted to know what to do about teatimer, should i leave it Disable ? and spyware terminator do the same job...? not ?
Do the following then, re-enable tea-timer and spyware terminator. The alerts should go away..Make sure you re-enable spyware guard too..
Click Start > Run type Notepad.exe then click OK.
This will open a Notepad file.
Copy and paste the contents of the code box below into the open Notepad file.
Click on Format and make sure Wordwrap is unchecked.
Save as ResetTeaTimer.bat, save as "File type:" All Files.
@echo off
VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT
VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT
VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win
VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win
VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme
VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT
echo Unsupported Version
goto last
:NT
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\Snapshots\*.*
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\logs\resident.log
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
exit
:win
deltree /y %WINDIR%\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\applic~1\spybot~1\logs\resident.log
del %WINDIR%\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\UpdateDL.sbe
exit
:winme
del /y %WINDIR%\alluse~1\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\logs\resident.log
exit
:last
echo Press any key to terminate,..
pause
exit
Double click ResetTeaTimer.bat to run it.
__________________
And another question, it's safe and ok to change my home page to Google ?
sure..It's perfectly ok..
*Congratulations! Your log looks clean!
Configure Windows Xp to hide system files:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading, select Do not show hidden files and folders.
Check the Hide protected operating system files option.
Click Yes to confirm.
Click OK.
_______________________
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
kutuputu
2007-03-13, 21:32
Thank u angelfire for your help and support.
U keep suprising me every time with a great answer.
YOU ARE THE BEST !
P.S - what did you learn ? c++ ? delphi ? i want to study too, to know to mess up with registry. if u can tell me which study to take ?
Best regards. :bigthumb:
Angelfire777
2007-03-14, 09:19
Thank u angelfire for your help and support.
U keep suprising me every time with a great answer.
YOU ARE THE BEST !
Thank you :)
P.S - what did you learn ? c++ ? delphi ? i want to study too, to know to mess up with registry. if u can tell me which study to take ?
Oh no no no..I never learned those two languages and you don't need to know them in order for you to do basic registry editing..Actually, while I was still studying in a malware removal university to learn how to remove malware, you'll learn registry editing somewhere along the way..If you are interested, you could register here: forum.malwareremoval.com and post a request to join the university :)
Tell me how it goes :)
kutuputu
2007-03-15, 10:54
Thanks you very much.
I sigend there. i'm waiting for pm.
I inform you, how is the study.
Thanks.
:bigthumb:
Angelfire777
2007-03-15, 12:22
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.