View Full Version : A few problems (malware)
Hi,
I have a few problems with my PC for about a week, and it's just get worst.
The problems:
1. "regedit" won't start, it's not recognized in windows.
2. My task manager won't start when I press alt+ctrl+del.
3. Windows update directs me to MSN.COM .. (I'm not able to update my system.)
4. When I shut down the computer I have a blue screen with fatal error says C000021a.. something like that.
5. When I log into Windows I get tons of pop ups with ads. that window's address is c:\windows\iexplore.html or something with rdmngr and a long continue..
To be able to use my PC I built a batch file that close every process of iexplore.exe and therefore I'm now using google chrome to write this thread.
The protection programs I had until couple of days were Symantec norton anti virus + firewall (both not updated).
The programs I have now (after downloading and deleting others) are AVG internet security (which won't let me update itself - it says my internet connection is not good - weird?)
SPYWAREfighter (fully updated and clean from problems..)
and last of all that I think is the most helpful one is SpyBot S&D (fully updated).
I'll give a little info. about what happening in my comp. now: (all from spybot s&d)
My running processes:
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-10-19 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi
2008-10-14 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-09-02 Includes\Dialer.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-02 Includes\Hijackers.sbi
2008-10-07 Includes\HijackersC.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-10-14 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-10-08 Includes\Malware.sbi
2008-10-14 Includes\MalwareC.sbi
2008-09-02 Includes\PUPS.sbi
2008-10-14 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-09-30 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-09 Includes\Spyware.sbi
2008-10-14 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi
2008-10-14 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
PID: 0 ( 0) [System]
PID: 1420 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 1620 (1420) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 1656 (1420) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 1712 (1656) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 1724 (1656) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1948 (1712) C:\WINDOWS\system32\ibmpmsvc.exe
size: 73782
MD5: 21ABD7E16659602723F984F512C65E02
PID: 1980 (1712) C:\WINDOWS\system32\Ati2evxx.exe
size: 380928
MD5: A2093ED04D20F3ACA0C0D348234C6998
PID: 2020 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 304 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 484 (1712) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 520 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 600 (1712) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
size: 86016
MD5: 80AAA1C7520C86CA0641C69851E124AF
PID: 692 (1712) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
size: 360521
MD5: 3962B7C74E9E335FAA419CCBF4BD1835
PID: 812 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 868 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1188 (1024) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1556 (1712) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1248 (1712) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 231704
MD5: 9B40D378D4E521464212E878BE8216A4
PID: 1604 (1712) C:\PROGRA~1\AVG\AVG8\avgfws8.exe
size: 1220888
MD5: 1BB3A220C3616098E4BEBD6865E8F433
PID: 544 (1712) C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
size: 258103
MD5: 32EDF745816649DFB0C1AA9E723C245F
PID: 1100 (1712) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 622700
MD5: 0700D8F92F7A93C2AB33CE2E0EBC29F4
PID: 1496 (1248) C:\PROGRA~1\AVG\AVG8\avgam.exe
size: 638744
MD5: AC67ECB5AD03CE4A3FB971221F574E6B
PID: 1260 (1248) C:\Program Files\avg\avg8\avgrsx.exe
size: 287000
MD5: BA1CE056CE1466CA28CE118585EA86C4
PID: 1448 (1712) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1576 (1248) C:\PROGRA~1\AVG\AVG8\avgnsx.exe
size: 424216
MD5: C9BEA16C638562EB677746D07C673F07
PID: 2756 (1712) C:\WINDOWS\system32\HPZipm12.exe
size: 69632
MD5: 9D84376931440F3679BEEF2A414FA493
PID: 2880 (1712) C:\Program Files\Fighters\configservice.exe
size: 139912
MD5: 9B48A953DE6E8D20E17D634EBDFF1755
PID: 3144 (1712) C:\WINDOWS\System32\QCONSVC.EXE
size: 81920
MD5: F34DB50EF26BC0FED48BB5ADAF9B878F
PID: 3232 (1712) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
size: 139264
MD5: F8489639E1D60D21F63F69A0605DD667
PID: 3272 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3376 (1712) C:\WINDOWS\System32\TPHDEXLG.EXE
size: 77824
MD5: 5515311013AF3EB8746FA6806AA4A859
PID: 3420 (1712) C:\WINDOWS\system32\TpKmpSVC.exe
size: 32768
MD5: DFB268FF0A6DCB9280015FF527F892FF
PID: 3456 (1712) C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService. exe
size: 40960
MD5: 7541BD8978AA1447FC2467C1F2B39B87
PID: 2988 (2020) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 3184 (1712) C:\PROGRA~1\AVG\AVG8\avgemc.exe
size: 875288
MD5: EC5B6AFF1A0BD1480B3B40CE78FAA527
PID: 3796 (1712) C:\Program Files\Fighters\licenseservice.exe
size: 283272
MD5: 7A433AA7803B408E50963F3007B7C134
PID: 2392 (1712) C:\Program Files\Fighters\updateservice.exe
size: 307848
MD5: 2DFBDA4C2484938B77737846446BADB5
PID: 2008 (1712) C:\Program Files\Fighters\ScannerService.exe
size: 311944
MD5: B0AB3FAFD1C65FA7FFC9178DAF8B5B96
PID: 992 (1712) C:\Program Files\Windows Media Player\WMPNetwk.exe
size: 913408
MD5: F74E3D9A7FA9556C3BBB14D4E5E63D3B
PID: 2804 (1712) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3904 (1188) C:\WINDOWS\LSPRN.EXE
size: 16896
MD5: 8D10954E841EEFC61E5022432E8F55E8
PID: 2436 (1188) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 110592
MD5: 0E6AA8A1D47148DC7AD82BF9C81AC69C
PID: 2400 (1188) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 512000
MD5: 89FC9B12D36005F6A43A8F8B58306AC8
PID: 2776 (3904) C:\WINDOWS\system32\PRINTDRV.EXE
size: 552748
MD5: 2B3B794301779CF6AD7EA9F2FEA87CA5
PID: 632 (1188) C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
size: 237568
MD5: EB21E4E92F5A81F7A6E6B9DC8E6BFBB6
PID: 3624 (1188) C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
size: 94208
MD5: 8F00D8FB0E51D4AB0587B3FC06E8079E
PID: 1856 (3624) C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
size: 77824
MD5: E56AED1AD96125AE952F9B2B1D468177
PID: 504 (3624) C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
size: 86016
MD5: F1DE90D990C6928EF549602A5ECE4029
PID: 1148 (1188) C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
size: 98304
MD5: 92B1EE9575F696F75FAB3A5A2D0D6642
PID: 3296 (1188) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: 763DAB43BDAB27316DBF3373192823D7
PID: 3336 (1188) C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
size: 49152
MD5: 64AB0F0795A0AEE366D34007D75F4A12
PID: 3140 (1188) C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
size: 86016
MD5: 11ADBA54E52216F21675E75F5535C553
PID: 2252 (1188) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 2116 (1188) C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
size: 745472
MD5: 616EF177F379D42EBDEA5E92411A8F6E
PID: 236 (1188) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 2480 (1188) C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.e xe
size: 180872
MD5: C491ABE2B0E515260CD8816F279B079F
PID: 1472 (1188) C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1235736
MD5: B95536F0B568C4476A78966CFA7BA006
PID: 664 (1188) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2840 (1188) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 3092 (1188) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
size: 133104
MD5: 626A24ED1228580B9518C01930936DF9
PID: 3940 (1188) C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 204288
MD5: 7EAED08CCCA4DDDE61A388C82598CFA9
PID: 2464 (2480) c:\program files\fighters\spywarefighter\SPYWAREfighterTray.e xe
size: 246408
MD5: 3728857211EF65AE850DC29DF3205E10
PID: 5496 (1188) C:\WINDOWS\system32\cmd.exe
size: 388608
MD5: EEB024F2C81F0D55936FB825D21A91D6
PID: 5948 (1188) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 796 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 4200 (1188) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 252 (4200) C:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe
size: 1247840
MD5: F3B04AD6D6605A5059CC4A5CB36BED46
PID: 1408 (1712) C:\WINDOWS\system32\msiexec.exe
size: 78848
MD5: F5F0146580E7023ADB963879840777F8
PID: 6060 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 3260 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 4472 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 4652 (5696) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System
PID: 4348 (1408) C:\WINDOWS\system32\MsiExec.exe
size: 78848
MD5: F5F0146580E7023ADB963879840777F8
PID: 5480 (1408) C:\WINDOWS\Installer\MSI34A.tmp
size: 56232
MD5: 2A7F9A2F8F08BBC0C5829B3A90B7EE96
A log file from earlier this evening when I just downloaded spy bot s&d
--- Report generated: 2008-10-19 18:44 ---
Hint of the Day: Click the bar at the right of this to see more information! ()
AdwareAlert: [SBI $52C5F396] Settings (מפתח רישום, nothing done)
HKEY_USERS\S-1-5-21-343743635-3307870191-2053664491-1006\Software\AdwareAlert
ErrorSmart: [SBI $8E4C1D3D] Settings (מפתח רישום, nothing done)
HKEY_USERS\S-1-5-21-343743635-3307870191-2053664491-1006\Software\ErrorSmart
ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 05_31_58 PM_484.log
ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 05_49_53 PM_796.log
ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 08_16_38 PM_328.log
ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 08_41_00 PM_671.log
ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 09_27_33 PM_515.log
ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 12_16_19 PM_859.log
ErrorSmart: [SBI $7B416CCA] Data (קובץ, nothing done)
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
RegistrySmart: [SBI $FCEE4898] Settings (מפתח רישום, nothing done)
HKEY_USERS\S-1-5-21-343743635-3307870191-2053664491-1006\Software\RegistrySmart
RegistrySmart: [SBI $81F408AB] Settings (מפתח רישום, nothing done)
HKEY_LOCAL_MACHINE\Software\RegistrySmart
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_05_17_11_51_45.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_05_17_11_51_53.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_05_24_09_10_06.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_06_14_10_01_53.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_06_15_03_09_36.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_06_20_22_29_01.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_07_01_20_40_26.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_07_12_12_06_09.log
RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_07_14_17_02_38.log
RegistrySmart: [SBI $A6ED8F18] Data (קובץ, nothing done)
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (רישום שהשתנה, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_ LOCKDOWN\iexplore.exe
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (רישום שהשתנה, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
Microsoft.Windows.AppFirewallBypass: [SBI $2593FAE5] Settings (ערך הרישום, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\system3 2\winver.exe
Microsoft.Windows.AppFirewallBypass: [SBI $17E546F4] Settings (ערך הרישום, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\system3 2\winver.exe
Hupigon13: [SBI $D5A7DCB6] Settings (מפתח רישום, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Virtumonde: [SBI $1F8EC695] Settings (מפתח רישום, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
Virtumonde.dll: [SBI $8770FED0] Library (קובץ, nothing done)
C:\WINDOWS\system32\jkkJaxXQ.dll
Virtumonde.dll: [SBI $8770FED0] Library (קובץ, nothing done)
C:\WINDOWS\system32\geBsqpqR.dll
Virtumonde.dll: [SBI $8770FED0] Library (קובץ, nothing done)
C:\WINDOWS\system32\ddcBTNDW.dll
Zlob.Downloader.bit: [SBI $12A26DDA] Installer (קובץ, nothing done)
c:\autorun.inf
Log: Activity: COM+.log (קובץ גיבוי, nothing done)
C:\WINDOWS\COM+.log
Log: Activity: SchedLgU.Txt (קובץ גיבוי, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Activity: imsins.log (קובץ גיבוי, nothing done)
C:\WINDOWS\imsins.log
Log: Activity: OEWABLog.txt (קובץ גיבוי, nothing done)
C:\WINDOWS\OEWABLog.txt
Log: Activity: ntbtlog.txt (קובץ גיבוי, nothing done)
C:\WINDOWS\ntbtlog.txt
Log: Install: comsetup.log (קובץ גיבוי, nothing done)
C:\WINDOWS\comsetup.log
Log: Install: ocgen.log (קובץ גיבוי, nothing done)
C:\WINDOWS\ocgen.log
Log: Install: setupact.log (קובץ גיבוי, nothing done)
C:\WINDOWS\setupact.log
Log: Install: setupapi.log (קובץ גיבוי, nothing done)
C:\WINDOWS\setupapi.log
Log: Install: svcpack.log (קובץ גיבוי, nothing done)
C:\WINDOWS\svcpack.log
Log: Install: wmsetup.log (קובץ גיבוי, nothing done)
C:\WINDOWS\wmsetup.log
Log: Install: DtcInstall.log (קובץ גיבוי, nothing done)
C:\WINDOWS\DtcInstall.log
Log: Shutdown: System32\wbem\logs\mofcomp.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log
Log: Shutdown: System32\wbem\logs\wbemcore.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemess.lo_ (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_
Log: Shutdown: System32\wbem\logs\wbemess.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\wmiadap.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
Cookie: Cookie (22) (Cookie, nothing done)
Cache: Cache (663) (Cache, nothing done)
History: History (65) (History, nothing done)
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-10-19 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi (*)
2008-10-14 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-07 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-10-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-10-08 Includes\Malware.sbi (*)
2008-10-14 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-10-14 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-09-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-09 Includes\Spyware.sbi (*)
2008-10-14 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi (*)
2008-10-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
*If any other details required so ask and you'll get.
Thats it. hope to get some quick helpful tips to this ugly situation..
Thanks,
Rotem
Hello and Welcome to the forums!
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
1 - Fix policies
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe) Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box should briefly appear and then close. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.
2 - Install hijackthis
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Before I'll paste the log file from HijackThis, I'll give you a little status update.
1. When I scan my computer earlier with spybot s&d it found me those errors:
--- Report generated: 2008-10-20 18:54 ---
Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
Hupigon13: [SBI $D5A7DCB6] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Virtumonde: [SBI $1F8EC695] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
When I tried to fix it, everything looked good again for a minute, even when I checked if the "regedit" command works, it worked. but after a couple of seconds the problem returned, and the command didn't work.
2. I looked on the processes that running in my PC and I noticed 2 processes that was not supposed to be there, and therefore I rebuilt the batch file that I used earlier to stop iexplore.exe from running to stop those 2 file from running, after I did so the iexplore.exe didn't appear itself again. (if I wasn't asking it to be)
The batch file code is:
echo off
:START
cls
process -k printdrv.exe
echo prindrv.exe was killed.
process -k WMPNetwk.exe
echo WMPNetwk.exe was killed.
GOTO START
3. And finally the log file you asked for:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:17, on 20/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\LSPRN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Fighters\configservice.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Fighters\licenseservice.exe
C:\Program Files\Fighters\updateservice.exe
C:\Program Files\Fighters\ScannerService.exe
C:\Program Files\avg\avg8\avgtray.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0574D50F-C261-490D-BF39-4E91183C4EFB} - C:\WINDOWS\system32\opnolJcB.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\avg\avg8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\avg\avg8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Printer Driver] C:\WINDOWS\system32\PRINTDRV.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [PrinterSecurityLayer] C:\WINDOWS\LSPRN.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: opnolJcB - opnolJcB.dll (file missing)
O20 - Winlogon Notify: winzzd32 - C:\WINDOWS\SYSTEM32\winzzd32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PTK License-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\configservice.exe
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
--
End of file - 13310 bytes
Sorry if I gave unneeded info., I prefer to talk about nonsense instead of maybe keeping important things to myself.
Thanks a lot for your help,
Rotem
Hi Rotem
1- Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log
2. a fresh HijackThis log
Thanks peku006
I have only problems from this point on..
1. The links you gave me are'nt working so I downloaded the combofix from another place.
2. When I first ran combofix it said something about policies so I activated the fixpolicies.cmd that you told me to download, and now it gives me another messages. I attached a printscreen image. (I made it to zip file so it will let me upload it to here)
waiting for new instructions.. :(
Hi Rotem
Lets try this
download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
Please reply with
the logs from RSIT (log.txt ,info.txt)
Thanks peku006
Hi,
Maybe the problem is because AVG still worked even when I closed it from the traybar, and maybe even Avira AV runing and I can't see it?
The logs are attached because it says that the text is too long with it inside the message.
Hi Rotem
Multiple Antivirus Programs
You are running more than 1 Antivirus program!
Avira
AVG
Running - more than one - Antivirus program is not recommended because they can conflict with each other. In addition...
Antivirus programs take up an enormous amount of your computer's resources when actively scanning your computer.
Running multiple Antivirus programs, at the same time can cause your computer to become unstable...run slowly and even, in rare cases, crash.
I would strongly suggest you uninstall one of them.
1 - Download and Run OTMoveIt3
Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.
Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the lines in the codebox below.
:Processes
LSPRN.EXE
:Files
C:\WINDOWS\system32\opnolJcB.dll
C:\WINDOWS\LSPRN.EXE
C:\WINDOWS\system32\opnolJcB.dll
C:\WINDOWS\system32\apisc32.dll
C:\WINDOWS\system32\apibsc32.dll
C:\WINDOWS\system32\divxdrv32.exe
C:\WINDOWS\system32\39upd.dll
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0574D50F-C261-490D-BF39-4E91183C4EFB}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"PrinterSecurityLayer"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnolJcB]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzzd32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0574D50F-C261-490D-BF39-4E91183C4EFB}"=-
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the OTMoveIt3 log
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC
Thanks peku006
Hi,
Status check:
1. The regedit is back to work.
2. My task manager still won't start when I press alt+ctrl+del.
3. Windows update directs me to MSN.COM ..
4. The blue screen fatal error disapear I think. (last time I rebooted after the system scan it didn't show up)
5. The pop-ups are now gone.
6. I don't know if realted or not but AVG 8 still won't let me update itself.
7. A few minutes after I turn on my PC a error message apear says: "The instance cssauth.exe cannot start because of initialization error." it was also before but I didn't noticed it as now.
8. 2 apllications called "Opearting System" and "SPOOLSV.exe" is trying to access the web, (I see it by AVG firewall)
Spoolsv is formiliar to me as system service, correct me if I'm wrong, but I don't think that this is the one. For now I'm blocking them both, until you tell me otherwise.
One more thing about those apps - the remote adress it tries to connect is 192.168.1.255 - this is a local adress that does not excist!
9. After the "Malwarebytes' Anti-Malware" check it asked me to reboot as you said it might be. After I rebooted, windows was starting and then the laptop's power cable disconnected and the PC turned off, when I reconnected the cable I started windows and I started a new scan of Malwarebytes' Anti-Malware, after the scan it asked me to reboot as earlier, and after I did and the windows turned on it didn't activate Malwarebytes' Anti-Malware again. Is it ok? or like I think it was supposed to do another removal act for those file I did reboot for?
** The logs are attached.
Hi
I will answer your questions later......
please do the following..........
WAREOUT
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin;
follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Post back the contents of the logfile C:\fixwareout\report.txt.
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.
Hi,
I did the scan, it didn't ask me to reboot twice.
The check about the DNS server, I already did it a few days ago it was manually configured and I changed it to Auto., so now I didn't have what to change from your second step.
The log:
Username "Iris Reiss" - 10/21/2008 15:52:49 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}
"DhcpNameServer"="85.255.112.16" <Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"suScheduler"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\UCLauncher.exe /SCHEDULER"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"ISUSPM Startup"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"cssauth"="\"C:\\Program Files\\IBM ThinkVantage\\Client Security Solution\\cssauth.exe\" silent"
"PDService.exe"="\"C:\\Program Files\\IBM ThinkVantage\\SafeGuard PrivateDisk\\pdservice.exe\""
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"DownloadAccelerator"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"spywarefighterguard"="C:\\Program Files\\Fighters\\spywarefighter\\SpywarefighterUser.exe"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Google Update"="\"C:\\Documents and Settings\\Iris Reiss\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Thanks,
Rotem
Hi
Open Notepad.
Copy the text from the box to an empty file.
Save it as export.bat to your desktop.
Choose save as all types
regedit /e c:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
Close Notepad.
Locate Export.bat on your Desktop and double-click on it It will create a file called look.txt in C:\
Copy the entire text and past it to your reply here in this topic.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NV Hostname"="IRIS"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="IRIS"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000000
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"MaxUserPort"=dword:0000fffe
"TcpTimedWaitDelay"=dword:0000001e
"StrictTimeWaitSeqCheck"=dword:00000001
"DhcpNameServer"="85.255.112.16 192.168.1.254"
"DhcpDomain"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,44,00,34,00,39,00,37,00,33,00,\
32,00,30,00,2d,00,45,00,30,00,31,00,36,00,2d,00,34,00,42,00,30,00,45,00,2d,\
00,39,00,38,00,31,00,30,00,2d,00,32,00,39,00,38,00,39,00,35,00,43,00,34,00,\
39,00,41,00,43,00,32,00,42,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,45,\
00,37,00,36,00,46,00,38,00,45,00,31,00,2d,00,32,00,36,00,44,00,46,00,2d,00,\
34,00,37,00,35,00,41,00,2d,00,38,00,41,00,32,00,30,00,2d,00,45,00,37,00,39,\
00,39,00,46,00,42,00,43,00,46,00,41,00,32,00,46,00,41,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,42,00,46,00,36,00,41,00,36,00,46,00,31,00,37,00,2d,00,30,\
00,35,00,33,00,46,00,2d,00,34,00,46,00,42,00,34,00,2d,00,39,00,38,00,43,00,\
38,00,2d,00,45,00,46,00,31,00,43,00,42,00,36,00,31,00,34,00,34,00,41,00,45,\
00,42,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,31,00,41,00,41,00,42,00,\
38,00,33,00,45,00,2d,00,30,00,37,00,41,00,42,00,2d,00,34,00,43,00,34,00,45,\
00,2d,00,38,00,37,00,31,00,36,00,2d,00,39,00,33,00,36,00,45,00,37,00,44,00,\
37,00,42,00,33,00,32,00,31,00,37,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:20,73,49,fd,16,e0,0e,4b,98,10,29,89,5c,49,ac,2b,e1,f8,76,fe,\
df,26,5a,47,8a,20,e7,99,fb,cf,a2,fa,17,6f,6a,bf,3f,05,b4,4f,98,c8,ef,1c,b6,\
14,4a,eb,3e,b8,aa,91,ab,07,4e,4c,87,16,93,6e,7d,7b,32,17
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{0926575B-93EA-4E23-91B7-F896545D23EF}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,30,00,39,00,32,00,36,00,35,00,37,00,\
35,00,42,00,2d,00,39,00,33,00,45,00,41,00,2d,00,34,00,45,00,32,00,33,00,2d,\
00,39,00,31,00,42,00,37,00,2d,00,46,00,38,00,39,00,36,00,35,00,34,00,35,00,\
44,00,32,00,33,00,45,00,46,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,38,00,44,00,30,00,38,00,42,00,39,00,\
43,00,38,00,2d,00,33,00,46,00,43,00,38,00,2d,00,34,00,45,00,36,00,43,00,2d,\
00,38,00,43,00,31,00,46,00,2d,00,41,00,36,00,46,00,37,00,41,00,43,00,42,00,\
43,00,43,00,32,00,31,00,42,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{91CF9B4D-5FEE-46EA-8BF5-25306DB21C41}]
"LLInterface"="ARP1394"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,31,00,43,00,46,00,39,00,42,00,\
34,00,44,00,2d,00,35,00,46,00,45,00,45,00,2d,00,34,00,36,00,45,00,41,00,2d,\
00,38,00,42,00,46,00,35,00,2d,00,32,00,35,00,33,00,30,00,36,00,44,00,42,00,\
32,00,31,00,43,00,34,00,31,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F931572D-7D00-4082-97C6-1A124A8C09DD}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,39,00,33,00,31,00,35,00,37,00,\
32,00,44,00,2d,00,37,00,44,00,30,00,30,00,2d,00,34,00,30,00,38,00,32,00,2d,\
00,39,00,37,00,43,00,36,00,2d,00,31,00,41,00,31,00,32,00,34,00,41,00,38,00,\
43,00,30,00,39,00,44,00,44,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0926575B-93EA-4E23-91B7-F896545D23EF}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"InterfaceMetric"=dword:0000000a
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.254"
"Lease"=dword:0036ee80
"LeaseObtainedTime"=dword:48fddf54
"T1"=dword:4934cdc0
"T2"=dword:4934cdc0
"LeaseTerminatesTime"=dword:4934cdd4
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:ebbac26a
"AddressType"=dword:00000000
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="192.168.1.182"
"DhcpSubnetMask"="255.255.255.0"
"DhcpRetryTime"=dword:0036ee69
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="85.255.112.16 192.168.1.254"
"DhcpDomain"=""
"DhcpDefaultGateway"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
00,2e,00,32,00,35,00,34,00,00,00,00,00
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,30,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91AAB83E-07AB-4C4E-8716-936E7D7B3217}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"DhcpClassIdBin"=hex:
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,31,00,32,00,38,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91CF9B4D-5FEE-46EA-8BF5-25306DB21C41}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BF6A6F17-053F-4FB4-98C8-EF1CB6144AEB}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F931572D-7D00-4082-97C6-1A124A8C09DD}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.254"
"Lease"=dword:0036ee80
"LeaseObtainedTime"=dword:47873c4b
"T1"=dword:47be2ab7
"T2"=dword:47be2ab7
"LeaseTerminatesTime"=dword:47be2acb
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"InterfaceMetric"=dword:0000000a
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="192.168.1.100"
"DhcpSubnetMask"="255.255.255.0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FD497320-E016-4B0E-9810-29895C49AC2B}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FE76F8E1-26DF-475A-8A20-E799FBCFA2FA}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,31,00,32,00,38,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00
Hi...
hmm.... still......"DhcpNameServer"="85.255.112.16 192.168.1.254"
Go to Start / Run / then type in cmd
Press okay.
Type or copy/paste the following in the Command box:
Press Enter after each one.
ipconfig /release
ipconfig /flushdns
ipconfig /renew
Type EXIT to close & turn off the computer.
Please delete this file using Windows Explorer(if present):
C:\look.txt
then.....
Locate Export.bat on your Desktop and double-click on it It will create a file called look.txt in C:\
Copy the entire text and past it to your reply here in this topic
I don't think that the adress is a problem as you do, this is my ISP adress and the other adress is my router adress, look on some info. from my router:
Domain Name Server 85.255.112.16, 85.255.112.180
Do you still think I should do what you said?
Hi
are you from Ukraine ?
Hi
please read this (http://samspade.org/whois/85.255.112.180)
Hi,
Is it possible that if I save my login name and psw in IE , then some ,program could be able to hack in my router and change it pref. ? because I think that the first problem I had is that my Internet connection fall down, and when I got into my router's pref. I saw that all my Internet con. settings has been changed, and only after I changed a few things like my connection type (back to PPPoE) my Internet connection worked again.
I'm now reconfiguring my router to my ISP DHCP adress, I'll upate you after your next response.
Thanks,
Rotem
Hi
Is it possible that if I save my login name and psw in IE , then some ,program could be able to hack in my router and change it pref
Yes...settings on the router can be changed, including the DNS servers
Okay, some updates and new log file.
I fixed my dns servers in my router, with my ISP on phone, now I'm able to surf, and also the adress from Ukraine is gone! (I checked it using ipconfig /all)
But after I did release-flushdns-renew a pop up from my firewall apear asking me about Windows Media Player Networking or something like that (I blocked it again for now), and I noticed that the process wmpnetwk.exe is runing as before.
log file from Export.bat :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NV Hostname"="IRIS"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="IRIS"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000000
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"MaxUserPort"=dword:0000fffe
"TcpTimedWaitDelay"=dword:0000001e
"StrictTimeWaitSeqCheck"=dword:00000001
"DhcpNameServer"="194.90.1.5 192.168.1.254"
"DhcpDomain"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,44,00,34,00,39,00,37,00,33,00,\
32,00,30,00,2d,00,45,00,30,00,31,00,36,00,2d,00,34,00,42,00,30,00,45,00,2d,\
00,39,00,38,00,31,00,30,00,2d,00,32,00,39,00,38,00,39,00,35,00,43,00,34,00,\
39,00,41,00,43,00,32,00,42,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,45,\
00,37,00,36,00,46,00,38,00,45,00,31,00,2d,00,32,00,36,00,44,00,46,00,2d,00,\
34,00,37,00,35,00,41,00,2d,00,38,00,41,00,32,00,30,00,2d,00,45,00,37,00,39,\
00,39,00,46,00,42,00,43,00,46,00,41,00,32,00,46,00,41,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,42,00,46,00,36,00,41,00,36,00,46,00,31,00,37,00,2d,00,30,\
00,35,00,33,00,46,00,2d,00,34,00,46,00,42,00,34,00,2d,00,39,00,38,00,43,00,\
38,00,2d,00,45,00,46,00,31,00,43,00,42,00,36,00,31,00,34,00,34,00,41,00,45,\
00,42,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,31,00,41,00,41,00,42,00,\
38,00,33,00,45,00,2d,00,30,00,37,00,41,00,42,00,2d,00,34,00,43,00,34,00,45,\
00,2d,00,38,00,37,00,31,00,36,00,2d,00,39,00,33,00,36,00,45,00,37,00,44,00,\
37,00,42,00,33,00,32,00,31,00,37,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:20,73,49,fd,16,e0,0e,4b,98,10,29,89,5c,49,ac,2b,e1,f8,76,fe,\
df,26,5a,47,8a,20,e7,99,fb,cf,a2,fa,17,6f,6a,bf,3f,05,b4,4f,98,c8,ef,1c,b6,\
14,4a,eb,3e,b8,aa,91,ab,07,4e,4c,87,16,93,6e,7d,7b,32,17
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{0926575B-93EA-4E23-91B7-F896545D23EF}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,30,00,39,00,32,00,36,00,35,00,37,00,\
35,00,42,00,2d,00,39,00,33,00,45,00,41,00,2d,00,34,00,45,00,32,00,33,00,2d,\
00,39,00,31,00,42,00,37,00,2d,00,46,00,38,00,39,00,36,00,35,00,34,00,35,00,\
44,00,32,00,33,00,45,00,46,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,38,00,44,00,30,00,38,00,42,00,39,00,\
43,00,38,00,2d,00,33,00,46,00,43,00,38,00,2d,00,34,00,45,00,36,00,43,00,2d,\
00,38,00,43,00,31,00,46,00,2d,00,41,00,36,00,46,00,37,00,41,00,43,00,42,00,\
43,00,43,00,32,00,31,00,42,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{91CF9B4D-5FEE-46EA-8BF5-25306DB21C41}]
"LLInterface"="ARP1394"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,31,00,43,00,46,00,39,00,42,00,\
34,00,44,00,2d,00,35,00,46,00,45,00,45,00,2d,00,34,00,36,00,45,00,41,00,2d,\
00,38,00,42,00,46,00,35,00,2d,00,32,00,35,00,33,00,30,00,36,00,44,00,42,00,\
32,00,31,00,43,00,34,00,31,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F931572D-7D00-4082-97C6-1A124A8C09DD}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,39,00,33,00,31,00,35,00,37,00,\
32,00,44,00,2d,00,37,00,44,00,30,00,30,00,2d,00,34,00,30,00,38,00,32,00,2d,\
00,39,00,37,00,43,00,36,00,2d,00,31,00,41,00,31,00,32,00,34,00,41,00,38,00,\
43,00,30,00,39,00,44,00,44,00,7d,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0926575B-93EA-4E23-91B7-F896545D23EF}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"InterfaceMetric"=dword:0000000a
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.254"
"Lease"=dword:0036ee80
"LeaseObtainedTime"=dword:48fe0691
"T1"=dword:4934f4fd
"T2"=dword:4934f4fd
"LeaseTerminatesTime"=dword:4934f511
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:ebbac26a
"AddressType"=dword:00000000
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="192.168.1.182"
"DhcpSubnetMask"="255.255.255.0"
"DhcpRetryTime"=dword:0036ee69
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="194.90.1.5 192.168.1.254"
"DhcpDomain"=""
"DhcpDefaultGateway"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
00,2e,00,32,00,35,00,34,00,00,00,00,00
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,30,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91AAB83E-07AB-4C4E-8716-936E7D7B3217}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"DhcpClassIdBin"=hex:
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,31,00,32,00,38,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91CF9B4D-5FEE-46EA-8BF5-25306DB21C41}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BF6A6F17-053F-4FB4-98C8-EF1CB6144AEB}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F931572D-7D00-4082-97C6-1A124A8C09DD}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.254"
"Lease"=dword:0036ee80
"LeaseObtainedTime"=dword:47873c4b
"T1"=dword:47be2ab7
"T2"=dword:47be2ab7
"LeaseTerminatesTime"=dword:47be2acb
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"InterfaceMetric"=dword:0000000a
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="192.168.1.100"
"DhcpSubnetMask"="255.255.255.0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FD497320-E016-4B0E-9810-29895C49AC2B}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FE76F8E1-26DF-475A-8A20-E799FBCFA2FA}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,31,00,32,00,38,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00
Waiting for new instructions.
Thanks,
Rotem
Hi
Pleaese run FixPolicies.exe again.........
1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
2 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1 the Kaspersky online scanner report
2. a fresh HijackThis log
How is the computer running now?
Thanks peku006
I'm downloading the Kaspersky now, but while it's downloading can you explain me why not to use Avira AV? Why to download another AV? and do you believe that the DNS problem is gone as I do?
I'll be glad if you'll explain me what I'm doing before every step.
Thanks,
Rotem
Hi
Why to download another AV?
Free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one. Most importantly, you can see what viruses your current antivirus software let slip through!
do you believe that the DNS problem is gone as I do?
Yes.....I do not see "85.255.112.16" in last Export.bat log file
Could you please follow my instructions from my last post.
Hi,
Status:
1. The task manager is still not coming up when I press Alt+Ctrl+Del..
2. AVG still won't update so I think that I'll just delete it and use avira AV & Windows firewall, what do you think?
3. The message about cssauth.exe after the computer starts still coming up.
The logs:
Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, October 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 21, 2008 15:42:13
Records in database: 1331871
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 86499
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 04:04:31
File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\vncclipboard.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\System Volume Information\_restore{CC9CE5F3-EF0B-4195-96E8-179B3C0D9772}\RP731\A0097766.inf Infected: Worm.Win32.AutoRun.nuu 1
C:\System Volume Information\_restore{CC9CE5F3-EF0B-4195-96E8-179B3C0D9772}\RP733\A0099914.dll Infected: Backdoor.Win32.Agent.tgi 1
The selected area was scanned.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:46:37, on 22/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Fighters\configservice.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Fighters\licenseservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fighters\updateservice.exe
C:\Program Files\Fighters\ScannerService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\avg\avg8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\avg\avg8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\avg\avg8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PTK License-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\configservice.exe
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
--
End of file - 12574 bytes
Thanks,
Rotem
Hi Rotem
1. The task manager is still not coming up when I press Alt+Ctrl+Del..
we will fix it later........(reg.fix)
2. AVG still won't update so I think that I'll just delete it and use avira AV & Windows firewall, what do you think?
Avira will be a good choice, but Windows firewall
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
I will make some further recommendations once we have got your computer clean........
3. The message about cssauth.exe after the computer starts still coming up.
cssauth.exe is related to IBM ThinkVantage Client Security Solution
Troubleshooting - Client Security Solution (http://www-307.ibm.com/pc/support/site.wss/MIGR-56104.html)
1- Registry editing
Go to Start > Run
Type regedit and click OK.
On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
Click Save and then go to File > Exit.
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
2- OTViewIt
Please download OTViewIt (http://oldtimer.geekstogo.com/OTViewIt.exe) by OldTimer and save it to your Desktop.
Close all applications and windows.
Double-click on the OTViewIt.exeto start OTViewIt.
Place a checkmark in the blue-colored "Scan All Users" checkbox.
Click the blue Run Scan button.
OTViewIt will now start its scan.
When the scan is complete, two text files will be created, OTViewIt.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt to your post.
3 - BLACKLIGHT
Please download F-Secure Blacklight (fsbl.exe) from here (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe)
Save into C:\ with a name of fsbl.exe
Go to Start > Run
Copy and paste the contents of the below codebox into the run box
C:\fsbl.exe /expert
Click OK
This will launch BlackLight
Select I accept the agreement
Click Next
Click Scan
Wait for the scan to finish
Click on Next>
Click Exit
A logfile will have been created in the C:\ drive
It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
Use notepad to open that log
Post the contents of that log as a reply to this topic
Please reply with
the OTViewIt.log
the fsbl.log
How is the computer running now?
Thanks peku006
Hi,
The problem with the task manager still excist.
The logs are attached.
Hi
You could try going to start, run and type
sfc /scannow (a space between sfc and /scannow)
Make sure you have your windows install cd in the drive so windows can get any missing files it needs.
and post back if it helpe
Hi,
1. There is a way doing it without the cd? because in the company they give me the laptop with windows on it and without the cd.
2. I still have messages from my firewall says that "Opearting System" is trying to connect to 192.168.1.255 (adress that doesn't excist on my network) I keep blocking it but what is it?
3. What about my Antivirus & Firewall dilemma? what do you think I should do? can you give me any advice?
Thanks,
Rotem
About the taskmgr, I sat about it all night and finnaly I found the problem somewhere deep in the registry.
I fixed AVG update and I deleted Avira.
So thanks for all the help, I hope that I won't need to come back here for new advice.
Have a good day,
Rotem
Hi rreiss
Great that your machine is running better now, the scans are fine and it looks like your machine is clean :)
Next we remove all used tools.
Please delete rsit and c:\rsit folder
Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clear system restore points
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.1
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Note:"Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note: If you are running Windows XP SP2, you should upgrade to SP3.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb: