PDA

View Full Version : Help! E-mail Hijacker



HeavyShadow
2006-10-13, 22:52
my computer has been infected with some e-mail hijacker, causing mupltiple attempts of e-mail sends...
ad-aware and spybot both failed to remove the problem.

please help me, i really don't know how to beat this one.
here's my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 21:47:41, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\rundll32.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\windows\system32\wuauclt.exe
C:\windows\System32\svchost.exe
C:\Documents and Settings\hezi\שולחן העבודה\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ubifone.co.il/habuma
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kazaa.vmule.com/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~1\NETEX\URLSEA~1.DLL
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
O4 - Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk142YYIL
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CD60E63-1850-4E5E-B7F7-EB7AECC3126A} (Masav.GetFileContent) - https://hb2.bankleumi.co.il/HomeBank/Operations/Masav.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/download/CfxIEAx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {38AF165F-0599-4D29-9DA1-5C169F45023A} (CFloppyOp Object) - https://hb2.bankleumi.co.il/H/FloppyOpIe.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.bigfishgames.com/online/dinerdash/DinerDash.1.0.0.58.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU-new/launcher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: evenncob.dll e1.dll confcon.dll constat.dll
O20 - Winlogon Notify: conmgr - C:\windows\SYSTEM32\conmgr32.dll
O20 - Winlogon Notify: dssmgr - egamgr32.dll (file missing)
O20 - Winlogon Notify: sysshtic - C:\windows\system32\sysshtic.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\hezi\LOCALS~1\Temp\Rar$EX00.859\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

LonnyRJones
2006-10-18, 17:53
Hi

My eyes are not to good, post a log without added forum special formating please

HeavyShadow
2006-10-18, 21:56
here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 21:47:41, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\rundll32.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\windows\system32\wuauclt.exe
C:\windows\System32\svchost.exe
C:\Documents and Settings\hezi\שולחן העבודה\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ubifone.co.il/habuma
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kazaa.vmule.com/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~1\NETEX\URLSEA~1.DLL
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
O4 - Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk142YYIL
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CD60E63-1850-4E5E-B7F7-EB7AECC3126A} (Masav.GetFileContent) - https://hb2.bankleumi.co.il/HomeBank...ions/Masav.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/download/CfxIEAx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {38AF165F-0599-4D29-9DA1-5C169F45023A} (CFloppyOp Object) - https://hb2.bankleumi.co.il/H/FloppyOpIe.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/f...utLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.bigfishgames.com/online/d...h.1.0.0.58.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU-new/launcher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: evenncob.dll e1.dll confcon.dll constat.dll
O20 - Winlogon Notify: conmgr - C:\windows\SYSTEM32\conmgr32.dll
O20 - Winlogon Notify: dssmgr - egamgr32.dll (file missing)
O20 - Winlogon Notify: sysshtic - C:\windows\system32\sysshtic.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\hezi\LOCALS~1\Temp\Rar$EX00.859\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

there is another thing, which might be causing this whole problem...
my antivirus jumps with an alert of "W32.stration@mm" from time to time. the thing is, it cleans the files, and doesn't find anything else. then the whole thing happens again.

LonnyRJones
2006-10-19, 03:28
Thanks

Zip up and send me this folder please
C:\PROGRAM FILES\NETEX\
Send it to submitlonnyATsubratam.org
Replace AT with @ , include a link back to this thread.
Unless you know what it is ?

Before we tackle the others Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

HeavyShadow
2006-10-19, 13:58
Netex is cool, I know what it does.

here's the ComboFix report:

hezi - 06-10-19 12:54:13.20 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\dagan\vitalprograms"

((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-19 06:52 0 --a------ C:\WINDOWS\c6wsq6.reg
2006-10-19 06:19 134,144 --a------ C:\WINDOWS\msout.exe
2006-10-19 03:18 8,704 --a------ C:\WINDOWS\SYSTEM32\e1.dll
2006-10-19 03:18 133,120 --a------ C:\WINDOWS\serrv.exe
2006-10-18 19:13 53,248 --ah----- C:\WINDOWS\SYSTEM32\brwprf32.dll
2006-10-18 19:13 49,152 --ah----- C:\WINDOWS\SYSTEM32\confbrw.dll
2006-10-18 19:13 49,152 --ah----- C:\WINDOWS\SYSTEM32\brwconf.exe
2006-10-18 19:13 40,960 --ah----- C:\WINDOWS\SYSTEM32\brwperf.exe
2006-10-18 19:13 352,256 --ah----- C:\WINDOWS\SYSTEM32\brwmgr32.dll
2006-10-18 19:13 143,360 --ah----- C:\WINDOWS\SYSTEM32\brwstat.dll
2006-10-18 19:13 109,256 --a------ C:\WINDOWS\twain22.exe
2006-10-18 11:12 141,312 --a------ C:\WINDOWS\cc3.exe
2006-10-17 14:37 0 --a------ C:\WINDOWS\hv4e05.dll
2006-10-17 14:04 142,336 --a------ C:\WINDOWS\cc2.exe
2006-10-17 14:03 81,932 --a------ C:\WINDOWS\SYSTEM32\sysshtic.exe
2006-10-17 13:33 81,920 --ah----- C:\WINDOWS\SYSTEM32\yapconf.exe
2006-10-16 16:01 53,248 --ah----- C:\WINDOWS\SYSTEM32\confatt.dll
2006-10-16 16:01 53,248 --ah----- C:\WINDOWS\SYSTEM32\attprf32.dll
2006-10-16 16:01 49,152 --ah----- C:\WINDOWS\SYSTEM32\atrconf.exe
2006-10-16 16:01 40,960 --ah----- C:\WINDOWS\SYSTEM32\attperf.exe
2006-10-16 16:01 356,352 --ah----- C:\WINDOWS\SYSTEM32\attmgr32.dll
2006-10-16 16:01 143,360 --ah----- C:\WINDOWS\SYSTEM32\attstat.dll
2006-10-13 11:39 528,384 --ah----- C:\WINDOWS\SYSTEM32\conmgr32.dll
2006-10-13 11:39 34,304 --a------ C:\WINDOWS\SYSTEM32\alerter.exe
2006-10-13 11:39 258,048 --ah----- C:\WINDOWS\SYSTEM32\constat.dll
2006-10-13 11:39 133,961 --a------ C:\WINDOWS\cct.exe
2006-10-10 18:39 0 --a------ C:\WINDOWS\cesm9q.reg
2006-10-06 22:35 0 --a------ C:\WINDOWS\eevmwk.reg
2006-10-06 21:57 3,144,800 --a------ C:\WINDOWS\semr8u8j8n.dll
2006-10-06 21:54 28,672 --a------ C:\WINDOWS\SYSTEM32\evenncob.dll
2006-10-06 21:54 110,592 --a------ C:\WINDOWS\SYSTEM32\sysshtic.dll
2006-09-19 17:44 2,560 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2006-09-19 17:44 2,432 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 14:42 -------- d-------- C:\Program Files\Google
2006-10-14 19:59 -------- d-------- C:\Program Files\SpyCQ
2006-10-13 17:03 -------- d-------- C:\Program Files\????? ????
2006-10-12 16:51 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-01 00:27 126456 --a------ C:\Documents and Settings\hezi\Application Data\GDIPFONTCACHEV1.DAT
2006-09-22 17:08 -------- d-------- C:\Program Files\Jasc Software Inc
2006-09-16 16:04 -------- d-------- C:\Program Files\Smiley Arcade
2006-09-16 15:13 28672 --a------ C:\WINDOWS\SYSTEM32\f3PSSavr.scr
2006-09-13 07:02 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-09 12:44 -------- d-------- C:\Program Files\Heroes III The Shadow of Death
2006-08-25 17:46 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 14:26 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltMc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fltMgr.sys
2006-08-16 13:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\SYSTEM32\sirenacm.dll
2006-07-27 15:26 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 10:25 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"SystemTray"="SysTray.Exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"SoundMan"="SOUNDMAN.EXE"
"brwdiag"="C:\\windows\\system32\\brwconf.exe"
"serrv"="C:\\windows\\serrv.exe s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="דף הבית הנוכחי שלי"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,4c,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="כלי הטעינה מראש של Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="שרת (Daemon) של מטמון קטגוריות רכיבים"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE"
"regeditt"="C:\\WINDOWS\\NORTON19.EXE"
"GLSetIT326"="C:\\WINDOWS\\MSIEXEC111.EXE"
"regeditkj"="C:\\WINDOWS\\MSIEXEC118.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\All Users\\תפריט התחלה\\תוכניות\\הפעלה\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\windows\\pss\\MyWebSearch Email Plugin.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^hezi^תפריט התחלה^תוכניות^הפעלה^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\hezi\\תפריט התחלה\\תוכניות\\הפעלה\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\windows\\pss\\MyWebSearch Email Plugin.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dancer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DncLE"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Plus! Dancer LE\\DncLE.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=dword:00000003
"avast! Mail Scanner"=dword:00000003
"avast! Antivirus"=dword:00000002
"aswUpdSv"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\brwmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dssmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysshtic

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\Tune-up Application Start.job
C:\windows\tasks\??????-??????? ?????.job
C:\windows\tasks\??????-???? ?????.job
C:\windows\tasks\??????-????? ????.job

Completion time: 06-10-19 12:55:30.59
C:\ComboFix.txt ... 06-10-19 12:55

LonnyRJones
2006-10-19, 15:23
Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\windows\system32\evenncob.dll
C:\windows\system32\e1.dll
C:\windows\system32\confcon.dll
C:\windows\system32\constat.dll
C:\windows\SYSTEM32\conmgr32.dll
C:\windows\system32\sysshtic.dll
C:\WINDOWS\System32\yapconf.exe
C:\WINDOWS\SYSTEM32\f3PSSavr.scr
C:\windows\system32\brwconf.exe
C:\WINDOWS\SYSTEM32\brwprf32.dll
C:\WINDOWS\SYSTEM32\confbrw.dll
C:\WINDOWS\SYSTEM32\brwconf.exe
C:\WINDOWS\SYSTEM32\brwperf.exe
C:\WINDOWS\SYSTEM32\brwmgr32.dll
C:\WINDOWS\SYSTEM32\brwstat.dll
C:\WINDOWS\SYSTEM32\sysshtic.exe
C:\WINDOWS\SYSTEM32\confatt.dll
C:\WINDOWS\SYSTEM32\attprf32.dll
C:\WINDOWS\SYSTEM32\atrconf.exe
C:\WINDOWS\SYSTEM32\attperf.exe
C:\WINDOWS\SYSTEM32\attmgr32.dll
C:\WINDOWS\SYSTEM32\attstat.dll
C:\WINDOWS\SYSTEM32\alerter.exe
C:\WINDOWS\msout.exe
C:\WINDOWS\serrv.exe
C:\WINDOWS\twain22.exe
C:\WINDOWS\hv4e05.dll
C:\WINDOWS\c6wsq6.reg
C:\WINDOWS\cct.exe
C:\WINDOWS\cesm9q.reg
C:\WINDOWS\eevmwk.reg
C:\WINDOWS\semr8u8j8n.dll
C:\WINDOWS\c6wsq6.reg
C:\WINDOWS\cc3.exe
C:\WINDOWS\cc2.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.

Killbox will have made a folder and placed copies of each file here
c:\!killbox
Go here and submit each file in that folder, let me know if any are checked as ok, we would need to put it back in the prop[er locations if so.
http://www.virustotal.com/flash/index_en.html


Post a fresh hijackthis log

HeavyShadow
2006-10-20, 00:49
problem:

Killbox is counting down for restart, and then a message appears:

"PendingFileRenameOperations Registry Data has been removed by External Porcess!"

what should I do?

LonnyRJones
2006-10-20, 03:12
Add the files as in my last post but when Killbox asks if you want to reboot say no, exit killbox and restart your pc manualy, as in start shutdown.

Post another hijackthis and combofix logs please

HeavyShadow
2006-10-20, 14:52
hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 13:52:02, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\rundll32.exe
C:\windows\SOUNDMAN.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\hezi\שולחן העבודה\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ubifone.co.il/habuma
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kazaa.vmule.com/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~1\NETEX\URLSEA~1.DLL
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [brwdiag] C:\windows\system32\brwconf.exe
O4 - HKLM\..\Run: [serrv] C:\windows\serrv.exe s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk142YYIL
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CD60E63-1850-4E5E-B7F7-EB7AECC3126A} (Masav.GetFileContent) - https://hb2.bankleumi.co.il/HomeBank/Operations/Masav.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/download/CfxIEAx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {38AF165F-0599-4D29-9DA1-5C169F45023A} (CFloppyOp Object) - https://hb2.bankleumi.co.il/H/FloppyOpIe.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.bigfishgames.com/online/dinerdash/DinerDash.1.0.0.58.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU-new/launcher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: evenncob.dll e1.dll confbrw.dll brwstat.dll
O20 - Winlogon Notify: attmgr - attmgr32.dll (file missing)
O20 - Winlogon Notify: brwmgr - brwmgr32.dll (file missing)
O20 - Winlogon Notify: conmgr - conmgr32.dll (file missing)
O20 - Winlogon Notify: dssmgr - egamgr32.dll (file missing)
O20 - Winlogon Notify: sysshtic - C:\windows\system32\sysshtic.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\windows\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\hezi\LOCALS~1\Temp\Rar$EX00.859\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

HeavyShadow
2006-10-20, 14:55
combofix log:

hezi - 06-10-20 13:53:42.51 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\dagan\vitalprograms"

((((((((((((((((((((((((((((((( Files Created from 2006-09-20 to 2006-10-20 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 14:42 -------- d-------- C:\Program Files\Google
2006-10-14 19:59 -------- d-------- C:\Program Files\SpyCQ
2006-10-13 17:03 -------- d-------- C:\Program Files\????? ????
2006-10-12 16:51 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-01 00:27 126456 --a------ C:\Documents and Settings\hezi\Application Data\GDIPFONTCACHEV1.DAT
2006-09-22 17:08 -------- d-------- C:\Program Files\Jasc Software Inc
2006-09-16 16:04 -------- d-------- C:\Program Files\Smiley Arcade
2006-09-13 07:02 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-09 12:44 -------- d-------- C:\Program Files\Heroes III The Shadow of Death
2006-08-25 17:46 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 14:26 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltMc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fltMgr.sys
2006-08-16 13:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\SYSTEM32\sirenacm.dll
2006-07-27 15:26 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 10:25 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"SystemTray"="SysTray.Exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"SoundMan"="SOUNDMAN.EXE"
"brwdiag"="C:\\windows\\system32\\brwconf.exe"
"serrv"="C:\\windows\\serrv.exe s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="דף הבית הנוכחי שלי"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="כלי הטעינה מראש של Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="שרת (Daemon) של מטמון קטגוריות רכיבים"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE"
"regeditt"="C:\\WINDOWS\\NORTON19.EXE"
"GLSetIT326"="C:\\WINDOWS\\MSIEXEC111.EXE"
"regeditkj"="C:\\WINDOWS\\MSIEXEC118.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\All Users\\תפריט התחלה\\תוכניות\\הפעלה\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\windows\\pss\\MyWebSearch Email Plugin.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^hezi^תפריט התחלה^תוכניות^הפעלה^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\hezi\\תפריט התחלה\\תוכניות\\הפעלה\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\windows\\pss\\MyWebSearch Email Plugin.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dancer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DncLE"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Plus! Dancer LE\\DncLE.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=dword:00000003
"avast! Mail Scanner"=dword:00000003
"avast! Antivirus"=dword:00000002
"aswUpdSv"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\attmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\brwmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\conmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dssmgr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysshtic

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\Tune-up Application Start.job
C:\windows\tasks\??????-??????? ?????.job
C:\windows\tasks\??????-???? ?????.job
C:\windows\tasks\??????-????? ????.job

Completion time: 06-10-20 13:54:43.04
C:\ComboFix2.txt ... 06-10-19 12:55
C:\ComboFix.txt ... 06-10-20 13:54

LonnyRJones
2006-10-20, 15:38
Did you miss this step ?


Killbox will have made a folder and placed copies of each file here
c:\!killbox
Go here and submit each file in that folder, let me know if any are checked as ok, we would need to put it back in the prop[er locations if so.
http://www.virustotal.com/flash/index_en.html (http://www.virustotal.com/flash/index_en.html)


Next:
Start Hijackthis and place a check next to these items If there.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kazaa.vmule.com/homepage.html
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk142YYIL
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
====================================
Hit fix checked and close Hijackthis.

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


Windows Registry Editor Version 5.00
;
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\attmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\brwmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\conmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dssmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysshtic]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"regeditt"=-
"GLSetIT326"=-
"regeditkj"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"brwdiag"=-
"serrv"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
"AppInit_DLLs"=""

;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

Post another hijackthis log and mention any current problems.

HeavyShadow
2006-10-20, 22:04
I scanned the files in virustotal as you asked, all of them proved to be infected with something...

here's the hijackthis new log:

Logfile of HijackThis v1.99.1
Scan saved at 21:00:48, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\rundll32.exe
C:\windows\SOUNDMAN.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\hezi\שולחן העבודה\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ubifone.co.il/habuma
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~1\NETEX\URLSEA~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CD60E63-1850-4E5E-B7F7-EB7AECC3126A} (Masav.GetFileContent) - https://hb2.bankleumi.co.il/HomeBank/Operations/Masav.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/download/CfxIEAx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {38AF165F-0599-4D29-9DA1-5C169F45023A} (CFloppyOp Object) - https://hb2.bankleumi.co.il/H/FloppyOpIe.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.bigfishgames.com/online/dinerdash/DinerDash.1.0.0.58.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU-new/launcher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\windows\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\hezi\LOCALS~1\Temp\Rar$EX00.859\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


no problems are currently known, I hope we're done
are there any other suspicious entries in this log?

LonnyRJones
2006-10-21, 04:18
Your log looks fine

I suspect there will be a little problem when you next visit windows update, try it and see please ?

tashi
2006-10-27, 20:57
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.

Thank you Lonny