A few problems (malware)

[rreiss]

Hi,
I have a few problems with my PC for about a week, and it's just get worst.

The problems:
1. "regedit" won't start, it's not recognized in windows.
2. My task manager won't start when I press alt+ctrl+del.
3. Windows update directs me to MSN.COM .. (I'm not able to update my system.)
4. When I shut down the computer I have a blue screen with fatal error says C000021a.. something like that.
5. When I log into Windows I get tons of pop ups with ads. that window's address is c:\windows\iexplore.html or something with rdmngr and a long continue..
To be able to use my PC I built a batch file that close every process of iexplore.exe and therefore I'm now using google chrome to write this thread.

The protection programs I had until couple of days were Symantec norton anti virus + firewall (both not updated).
The programs I have now (after downloading and deleting others) are AVG internet security (which won't let me update itself - it says my internet connection is not good - weird?)
SPYWAREfighter (fully updated and clean from problems..)
and last of all that I think is the most helpful one is SpyBot S&D (fully updated).

I'll give a little info. about what happening in my comp. now: (all from spybot s&d)

My running processes:

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-10-19 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi
2008-10-14 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-09-02 Includes\Dialer.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-02 Includes\Hijackers.sbi
2008-10-07 Includes\HijackersC.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-10-14 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-10-08 Includes\Malware.sbi
2008-10-14 Includes\MalwareC.sbi
2008-09-02 Includes\PUPS.sbi
2008-10-14 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-09-30 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-09 Includes\Spyware.sbi
2008-10-14 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi
2008-10-14 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

PID: 0 ( 0) [System]
PID: 1420 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 1620 (1420) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 1656 (1420) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 1712 (1656) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 1724 (1656) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1948 (1712) C:\WINDOWS\system32\ibmpmsvc.exe
size: 73782
MD5: 21ABD7E16659602723F984F512C65E02
PID: 1980 (1712) C:\WINDOWS\system32\Ati2evxx.exe
size: 380928
MD5: A2093ED04D20F3ACA0C0D348234C6998
PID: 2020 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 304 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 484 (1712) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 520 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 600 (1712) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
size: 86016
MD5: 80AAA1C7520C86CA0641C69851E124AF
PID: 692 (1712) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
size: 360521
MD5: 3962B7C74E9E335FAA419CCBF4BD1835
PID: 812 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 868 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1188 (1024) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1556 (1712) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1248 (1712) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 231704
MD5: 9B40D378D4E521464212E878BE8216A4
PID: 1604 (1712) C:\PROGRA~1\AVG\AVG8\avgfws8.exe
size: 1220888
MD5: 1BB3A220C3616098E4BEBD6865E8F433
PID: 544 (1712) C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
size: 258103
MD5: 32EDF745816649DFB0C1AA9E723C245F
PID: 1100 (1712) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 622700
MD5: 0700D8F92F7A93C2AB33CE2E0EBC29F4
PID: 1496 (1248) C:\PROGRA~1\AVG\AVG8\avgam.exe
size: 638744
MD5: AC67ECB5AD03CE4A3FB971221F574E6B
PID: 1260 (1248) C:\Program Files\avg\avg8\avgrsx.exe
size: 287000
MD5: BA1CE056CE1466CA28CE118585EA86C4
PID: 1448 (1712) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1576 (1248) C:\PROGRA~1\AVG\AVG8\avgnsx.exe
size: 424216
MD5: C9BEA16C638562EB677746D07C673F07
PID: 2756 (1712) C:\WINDOWS\system32\HPZipm12.exe
size: 69632
MD5: 9D84376931440F3679BEEF2A414FA493
PID: 2880 (1712) C:\Program Files\Fighters\configservice.exe
size: 139912
MD5: 9B48A953DE6E8D20E17D634EBDFF1755
PID: 3144 (1712) C:\WINDOWS\System32\QCONSVC.EXE
size: 81920
MD5: F34DB50EF26BC0FED48BB5ADAF9B878F
PID: 3232 (1712) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
size: 139264
MD5: F8489639E1D60D21F63F69A0605DD667
PID: 3272 (1712) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3376 (1712) C:\WINDOWS\System32\TPHDEXLG.EXE
size: 77824
MD5: 5515311013AF3EB8746FA6806AA4A859
PID: 3420 (1712) C:\WINDOWS\system32\TpKmpSVC.exe
size: 32768
MD5: DFB268FF0A6DCB9280015FF527F892FF
PID: 3456 (1712) C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService. exe
size: 40960
MD5: 7541BD8978AA1447FC2467C1F2B39B87
PID: 2988 (2020) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 3184 (1712) C:\PROGRA~1\AVG\AVG8\avgemc.exe
size: 875288
MD5: EC5B6AFF1A0BD1480B3B40CE78FAA527
PID: 3796 (1712) C:\Program Files\Fighters\licenseservice.exe
size: 283272
MD5: 7A433AA7803B408E50963F3007B7C134
PID: 2392 (1712) C:\Program Files\Fighters\updateservice.exe
size: 307848
MD5: 2DFBDA4C2484938B77737846446BADB5
PID: 2008 (1712) C:\Program Files\Fighters\ScannerService.exe
size: 311944
MD5: B0AB3FAFD1C65FA7FFC9178DAF8B5B96
PID: 992 (1712) C:\Program Files\Windows Media Player\WMPNetwk.exe
size: 913408
MD5: F74E3D9A7FA9556C3BBB14D4E5E63D3B
PID: 2804 (1712) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3904 (1188) C:\WINDOWS\LSPRN.EXE
size: 16896
MD5: 8D10954E841EEFC61E5022432E8F55E8
PID: 2436 (1188) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 110592
MD5: 0E6AA8A1D47148DC7AD82BF9C81AC69C
PID: 2400 (1188) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 512000
MD5: 89FC9B12D36005F6A43A8F8B58306AC8
PID: 2776 (3904) C:\WINDOWS\system32\PRINTDRV.EXE
size: 552748
MD5: 2B3B794301779CF6AD7EA9F2FEA87CA5
PID: 632 (1188) C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
size: 237568
MD5: EB21E4E92F5A81F7A6E6B9DC8E6BFBB6
PID: 3624 (1188) C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
size: 94208
MD5: 8F00D8FB0E51D4AB0587B3FC06E8079E
PID: 1856 (3624) C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
size: 77824
MD5: E56AED1AD96125AE952F9B2B1D468177
PID: 504 (3624) C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
size: 86016
MD5: F1DE90D990C6928EF549602A5ECE4029
PID: 1148 (1188) C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
size: 98304
MD5: 92B1EE9575F696F75FAB3A5A2D0D6642
PID: 3296 (1188) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: 763DAB43BDAB27316DBF3373192823D7
PID: 3336 (1188) C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
size: 49152
MD5: 64AB0F0795A0AEE366D34007D75F4A12
PID: 3140 (1188) C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
size: 86016
MD5: 11ADBA54E52216F21675E75F5535C553
PID: 2252 (1188) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 2116 (1188) C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
size: 745472
MD5: 616EF177F379D42EBDEA5E92411A8F6E
PID: 236 (1188) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 2480 (1188) C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.e xe
size: 180872
MD5: C491ABE2B0E515260CD8816F279B079F
PID: 1472 (1188) C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1235736
MD5: B95536F0B568C4476A78966CFA7BA006
PID: 664 (1188) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2840 (1188) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 3092 (1188) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
size: 133104
MD5: 626A24ED1228580B9518C01930936DF9
PID: 3940 (1188) C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 204288
MD5: 7EAED08CCCA4DDDE61A388C82598CFA9
PID: 2464 (2480) c:\program files\fighters\spywarefighter\SPYWAREfighterTray.e xe
size: 246408
MD5: 3728857211EF65AE850DC29DF3205E10
PID: 5496 (1188) C:\WINDOWS\system32\cmd.exe
size: 388608
MD5: EEB024F2C81F0D55936FB825D21A91D6
PID: 5948 (1188) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 796 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 4200 (1188) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 252 (4200) C:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe
size: 1247840
MD5: F3B04AD6D6605A5059CC4A5CB36BED46
PID: 1408 (1712) C:\WINDOWS\system32\msiexec.exe
size: 78848
MD5: F5F0146580E7023ADB963879840777F8
PID: 6060 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 3260 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 4472 (5948) C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
size: 634368
MD5: 393AF6392BA299FE1C7B13FA29C09711
PID: 4652 (5696) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System
PID: 4348 (1408) C:\WINDOWS\system32\MsiExec.exe
size: 78848
MD5: F5F0146580E7023ADB963879840777F8
PID: 5480 (1408) C:\WINDOWS\Installer\MSI34A.tmp
size: 56232
MD5: 2A7F9A2F8F08BBC0C5829B3A90B7EE96

A log file from earlier this evening when I just downloaded spy bot s&d


--- Report generated: 2008-10-19 18:44 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


AdwareAlert: [SBI $52C5F396] Settings (מפתח רישום, nothing done)
HKEY_USERS\S-1-5-21-343743635-3307870191-2053664491-1006\Software\AdwareAlert

ErrorSmart: [SBI $8E4C1D3D] Settings (מפתח רישום, nothing done)
HKEY_USERS\S-1-5-21-343743635-3307870191-2053664491-1006\Software\ErrorSmart

ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 05_31_58 PM_484.log

ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 05_49_53 PM_796.log

ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 08_16_38 PM_328.log

ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 08_41_00 PM_671.log

ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 09_27_33 PM_515.log

ErrorSmart: [SBI $879FA510] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\ErrorSmart\Log\2008 Oct 14 - 12_16_19 PM_859.log

ErrorSmart: [SBI $7B416CCA] Data (קובץ, nothing done)
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job

RegistrySmart: [SBI $FCEE4898] Settings (מפתח רישום, nothing done)
HKEY_USERS\S-1-5-21-343743635-3307870191-2053664491-1006\Software\RegistrySmart

RegistrySmart: [SBI $81F408AB] Settings (מפתח רישום, nothing done)
HKEY_LOCAL_MACHINE\Software\RegistrySmart

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_05_17_11_51_45.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_05_17_11_51_53.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_05_24_09_10_06.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_06_14_10_01_53.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_06_15_03_09_36.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_06_20_22_29_01.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_07_01_20_40_26.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_07_12_12_06_09.log

RegistrySmart: [SBI $A1D98DAB] Log file (קובץ, nothing done)
C:\Documents and Settings\Iris Reiss\Application Data\RegistrySmart\Log\log_2007_07_14_17_02_38.log

RegistrySmart: [SBI $A6ED8F18] Data (קובץ, nothing done)
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job

Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (רישום שהשתנה, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_ LOCKDOWN\iexplore.exe

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (רישום שהשתנה, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.Windows.AppFirewallBypass: [SBI $2593FAE5] Settings (ערך הרישום, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\system3 2\winver.exe

Microsoft.Windows.AppFirewallBypass: [SBI $17E546F4] Settings (ערך הרישום, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\system3 2\winver.exe

Hupigon13: [SBI $D5A7DCB6] Settings (מפתח רישום, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

Virtumonde: [SBI $1F8EC695] Settings (מפתח רישום, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

Virtumonde.dll: [SBI $8770FED0] Library (קובץ, nothing done)
C:\WINDOWS\system32\jkkJaxXQ.dll

Virtumonde.dll: [SBI $8770FED0] Library (קובץ, nothing done)
C:\WINDOWS\system32\geBsqpqR.dll

Virtumonde.dll: [SBI $8770FED0] Library (קובץ, nothing done)
C:\WINDOWS\system32\ddcBTNDW.dll

Zlob.Downloader.bit: [SBI $12A26DDA] Installer (קובץ, nothing done)
c:\autorun.inf

Log: Activity: COM+.log (קובץ גיבוי, nothing done)
C:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (קובץ גיבוי, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (קובץ גיבוי, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (קובץ גיבוי, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: ntbtlog.txt (קובץ גיבוי, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Install: comsetup.log (קובץ גיבוי, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: ocgen.log (קובץ גיבוי, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (קובץ גיבוי, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (קובץ גיבוי, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: svcpack.log (קובץ גיבוי, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (קובץ גיבוי, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (קובץ גיבוי, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (קובץ גיבוי, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cookie: Cookie (22) (Cookie, nothing done)


Cache: Cache (663) (Cache, nothing done)


History: History (65) (History, nothing done)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-10-19 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi (*)
2008-10-14 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-07 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-10-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-10-08 Includes\Malware.sbi (*)
2008-10-14 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-10-14 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-09-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-09 Includes\Spyware.sbi (*)
2008-10-14 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi (*)
2008-10-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

*If any other details required so ask and you'll get.

Thats it. hope to get some quick helpful tips to this ugly situation..
Thanks,
Rotem

 

[peku006]

Hello and Welcome to the forums!

My name is peku006 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Fix policies

Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here

• Double-click FixPolicies.exe.
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies.
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box should briefly appear and then close. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.

2 - Install hijackthis

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

[rreiss]

Before I'll paste the log file from HijackThis, I'll give you a little status update.

1. When I scan my computer earlier with spybot s&d it found me those errors:

--- Report generated: 2008-10-20 18:54 ---

Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

Hupigon13: [SBI $D5A7DCB6] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

Virtumonde: [SBI $1F8EC695] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

When I tried to fix it, everything looked good again for a minute, even when I checked if the "regedit" command works, it worked. but after a couple of seconds the problem returned, and the command didn't work.

2. I looked on the processes that running in my PC and I noticed 2 processes that was not supposed to be there, and therefore I rebuilt the batch file that I used earlier to stop iexplore.exe from running to stop those 2 file from running, after I did so the iexplore.exe didn't appear itself again. (if I wasn't asking it to be)
The batch file code is:
echo off

:START
cls
process -k printdrv.exe
echo prindrv.exe was killed.
process -k WMPNetwk.exe
echo WMPNetwk.exe was killed.
GOTO START

3. And finally the log file you asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:17, on 20/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\LSPRN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Fighters\configservice.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Fighters\licenseservice.exe
C:\Program Files\Fighters\updateservice.exe
C:\Program Files\Fighters\ScannerService.exe
C:\Program Files\avg\avg8\avgtray.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0574D50F-C261-490D-BF39-4E91183C4EFB} - C:\WINDOWS\system32\opnolJcB.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\avg\avg8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\avg\avg8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Printer Driver] C:\WINDOWS\system32\PRINTDRV.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Iris Reiss\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [PrinterSecurityLayer] C:\WINDOWS\LSPRN.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: opnolJcB - opnolJcB.dll (file missing)
O20 - Winlogon Notify: winzzd32 - C:\WINDOWS\SYSTEM32\winzzd32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PTK License-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\configservice.exe
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 13310 bytes


Sorry if I gave unneeded info., I prefer to talk about nonsense instead of maybe keeping important things to myself.

Thanks a lot for your help,
Rotem

 

[peku006]

Hi Rotem

1- Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the ComboFix log
2. a fresh HijackThis log

Thanks peku006

 

[rreiss]

I have only problems from this point on..

1. The links you gave me are'nt working so I downloaded the combofix from another place.
2. When I first ran combofix it said something about policies so I activated the fixpolicies.cmd that you told me to download, and now it gives me another messages. I attached a printscreen image. (I made it to zip file so it will let me upload it to here)

waiting for new instructions..

 

[peku006]

Hi Rotem

Lets try this

download and run RSIT

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

Please reply with

the logs from RSIT (log.txt ,info.txt)

Thanks peku006

 

[rreiss]

Hi,
Maybe the problem is because AVG still worked even when I closed it from the traybar, and maybe even Avira AV runing and I can't see it?

The logs are attached because it says that the text is too long with it inside the message.

 

[peku006]

Hi Rotem

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

Avira
AVG

Running - more than one - Antivirus program is not recommended because they can conflict with each other. In addition...
Antivirus programs take up an enormous amount of your computer's resources when actively scanning your computer.
Running multiple Antivirus programs, at the same time can cause your computer to become unstable...run slowly and even, in rare cases, crash.

I would strongly suggest you uninstall one of them.

1 - Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

• Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the lines in the codebox below.

:Processes
LSPRN.EXE 

:Files
C:\WINDOWS\system32\opnolJcB.dll 
C:\WINDOWS\LSPRN.EXE 
C:\WINDOWS\system32\opnolJcB.dll
C:\WINDOWS\system32\apisc32.dll
C:\WINDOWS\system32\apibsc32.dll
C:\WINDOWS\system32\divxdrv32.exe
C:\WINDOWS\system32\39upd.dll

:Reg

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0574D50F-C261-490D-BF39-4E91183C4EFB}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"PrinterSecurityLayer"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnolJcB]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzzd32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0574D50F-C261-490D-BF39-4E91183C4EFB}"=-

• Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform full scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found here:
  
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the OTMoveIt3 log
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

 

[rreiss]

Hi,
Status check:
1. The regedit is back to work.

2. My task manager still won't start when I press alt+ctrl+del.

3. Windows update directs me to MSN.COM ..

4. The blue screen fatal error disapear I think. (last time I rebooted after the system scan it didn't show up)

5. The pop-ups are now gone.

6. I don't know if realted or not but AVG 8 still won't let me update itself.

7. A few minutes after I turn on my PC a error message apear says: "The instance cssauth.exe cannot start because of initialization error." it was also before but I didn't noticed it as now.

8. 2 apllications called "Opearting System" and "SPOOLSV.exe" is trying to access the web, (I see it by AVG firewall)
Spoolsv is formiliar to me as system service, correct me if I'm wrong, but I don't think that this is the one. For now I'm blocking them both, until you tell me otherwise.
One more thing about those apps - the remote adress it tries to connect is 192.168.1.255 - this is a local adress that does not excist!

9. After the "Malwarebytes' Anti-Malware" check it asked me to reboot as you said it might be. After I rebooted, windows was starting and then the laptop's power cable disconnected and the PC turned off, when I reconnected the cable I started windows and I started a new scan of Malwarebytes' Anti-Malware, after the scan it asked me to reboot as earlier, and after I did and the windows turned on it didn't activate Malwarebytes' Anti-Malware again. Is it ok? or like I think it was supposed to do another removal act for those file I did reboot for?

** The logs are attached.

 

[peku006]

Hi

I will answer your questions later......

please do the following..........

WAREOUT

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin;
follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Post back the contents of the logfile C:\fixwareout\report.txt.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.

 

[rreiss]

Hi,
I did the scan, it didn't ask me to reboot twice.
The check about the DNS server, I already did it a few days ago it was manually configured and I changed it to Auto., so now I didn't have what to change from your second step.

The log:

Username "Iris Reiss" - 10/21/2008 15:52:49 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}
"DhcpNameServer"="85.255.112.16" <Value cleared.

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"suScheduler"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\UCLauncher.exe /SCHEDULER"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"ISUSPM Startup"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"cssauth"="\"C:\\Program Files\\IBM ThinkVantage\\Client Security Solution\\cssauth.exe\" silent"
"PDService.exe"="\"C:\\Program Files\\IBM ThinkVantage\\SafeGuard PrivateDisk\\pdservice.exe\""
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"DownloadAccelerator"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"spywarefighterguard"="C:\\Program Files\\Fighters\\spywarefighter\\SpywarefighterUser.exe"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Google Update"="\"C:\\Documents and Settings\\Iris Reiss\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Thanks,
Rotem

 

[peku006]

Hi

Open Notepad.
Copy the text from the box to an empty file.
Save it as export.bat to your desktop.
Choose save as all types

regedit /e c:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

Close Notepad.

Locate Export.bat on your Desktop and double-click on it It will create a file called look.txt in C:\
Copy the entire text and past it to your reply here in this topic.

 

[rreiss]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NV Hostname"="IRIS"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="IRIS"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000000
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"MaxUserPort"=dword:0000fffe
"TcpTimedWaitDelay"=dword:0000001e
"StrictTimeWaitSeqCheck"=dword:00000001
"DhcpNameServer"="85.255.112.16 192.168.1.254"
"DhcpDomain"=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,44,00,34,00,39,00,37,00,33,00,\
32,00,30,00,2d,00,45,00,30,00,31,00,36,00,2d,00,34,00,42,00,30,00,45,00,2d,\
00,39,00,38,00,31,00,30,00,2d,00,32,00,39,00,38,00,39,00,35,00,43,00,34,00,\
39,00,41,00,43,00,32,00,42,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,45,\
00,37,00,36,00,46,00,38,00,45,00,31,00,2d,00,32,00,36,00,44,00,46,00,2d,00,\
34,00,37,00,35,00,41,00,2d,00,38,00,41,00,32,00,30,00,2d,00,45,00,37,00,39,\
00,39,00,46,00,42,00,43,00,46,00,41,00,32,00,46,00,41,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,42,00,46,00,36,00,41,00,36,00,46,00,31,00,37,00,2d,00,30,\
00,35,00,33,00,46,00,2d,00,34,00,46,00,42,00,34,00,2d,00,39,00,38,00,43,00,\
38,00,2d,00,45,00,46,00,31,00,43,00,42,00,36,00,31,00,34,00,34,00,41,00,45,\
00,42,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,31,00,41,00,41,00,42,00,\
38,00,33,00,45,00,2d,00,30,00,37,00,41,00,42,00,2d,00,34,00,43,00,34,00,45,\
00,2d,00,38,00,37,00,31,00,36,00,2d,00,39,00,33,00,36,00,45,00,37,00,44,00,\
37,00,42,00,33,00,32,00,31,00,37,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:20,73,49,fd,16,e0,0e,4b,98,10,29,89,5c,49,ac,2b,e1,f8,76,fe,\
df,26,5a,47,8a,20,e7,99,fb,cf,a2,fa,17,6f,6a,bf,3f,05,b4,4f,98,c8,ef,1c,b6,\
14,4a,eb,3e,b8,aa,91,ab,07,4e,4c,87,16,93,6e,7d,7b,32,17

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{0926575B-93EA-4E23-91B7-F896545D23EF}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,30,00,39,00,32,00,36,00,35,00,37,00,\
35,00,42,00,2d,00,39,00,33,00,45,00,41,00,2d,00,34,00,45,00,32,00,33,00,2d,\
00,39,00,31,00,42,00,37,00,2d,00,46,00,38,00,39,00,36,00,35,00,34,00,35,00,\
44,00,32,00,33,00,45,00,46,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,38,00,44,00,30,00,38,00,42,00,39,00,\
43,00,38,00,2d,00,33,00,46,00,43,00,38,00,2d,00,34,00,45,00,36,00,43,00,2d,\
00,38,00,43,00,31,00,46,00,2d,00,41,00,36,00,46,00,37,00,41,00,43,00,42,00,\
43,00,43,00,32,00,31,00,42,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{91CF9B4D-5FEE-46EA-8BF5-25306DB21C41}]
"LLInterface"="ARP1394"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,31,00,43,00,46,00,39,00,42,00,\
34,00,44,00,2d,00,35,00,46,00,45,00,45,00,2d,00,34,00,36,00,45,00,41,00,2d,\
00,38,00,42,00,46,00,35,00,2d,00,32,00,35,00,33,00,30,00,36,00,44,00,42,00,\
32,00,31,00,43,00,34,00,31,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F931572D-7D00-4082-97C6-1A124A8C09DD}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,46,00,39,00,33,00,31,00,35,00,37,00,\
32,00,44,00,2d,00,37,00,44,00,30,00,30,00,2d,00,34,00,30,00,38,00,32,00,2d,\
00,39,00,37,00,43,00,36,00,2d,00,31,00,41,00,31,00,32,00,34,00,41,00,38,00,\
43,00,30,00,39,00,44,00,44,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0926575B-93EA-4E23-91B7-F896545D23EF}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8D08B9C8-3FC8-4E6C-8C1F-A6F7ACBCC21B}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"InterfaceMetric"=dword:0000000a
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.254"
"Lease"=dword:0036ee80
"LeaseObtainedTime"=dword:48fddf54
"T1"=dword:4934cdc0
"T2"=dword:4934cdc0
"LeaseTerminatesTime"=dword:4934cdd4
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:ebbac26a
"AddressType"=dword:00000000
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="192.168.1.182"
"DhcpSubnetMask"="255.255.255.0"
"DhcpRetryTime"=dword:0036ee69
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="85.255.112.16 192.168.1.254"
"DhcpDomain"=""
"DhcpDefaultGateway"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
00,2e,00,32,00,35,00,34,00,00,00,00,00
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91AAB83E-07AB-4C4E-8716-936E7D7B3217}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"DhcpClassIdBin"=hex:
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,31,00,32,00,38,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91CF9B4D-5FEE-46EA-8BF5-25306DB21C41}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BF6A6F17-053F-4FB4-98C8-EF1CB6144AEB}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F931572D-7D00-4082-97C6-1A124A8C09DD}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.254"
"Lease"=dword:0036ee80
"LeaseObtainedTime"=dword:47873c4b
"T1"=dword:47be2ab7
"T2"=dword:47be2ab7
"LeaseTerminatesTime"=dword:47be2acb
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"InterfaceMetric"=dword:0000000a
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="192.168.1.100"
"DhcpSubnetMask"="255.255.255.0"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FD497320-E016-4B0E-9810-29895C49AC2B}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FE76F8E1-26DF-475A-8A20-E799FBCFA2FA}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
00,35,00,35,00,2e,00,31,00,32,00,38,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

 

[peku006]

Hi...

hmm.... still......"DhcpNameServer"="85.255.112.16 192.168.1.254"

Go to Start / Run / then type in cmd
Press okay.
Type or copy/paste the following in the Command box:
Press Enter after each one.

ipconfig /release
ipconfig /flushdns
ipconfig /renew

Type EXIT to close & turn off the computer.

Please delete this file using Windows Explorer(if present):

C:\look.txt

then.....
Locate Export.bat on your Desktop and double-click on it It will create a file called look.txt in C:\
Copy the entire text and past it to your reply here in this topic

 

[rreiss]

I don't think that the adress is a problem as you do, this is my ISP adress and the other adress is my router adress, look on some info. from my router:

Domain Name Server 85.255.112.16, 85.255.112.180

Do you still think I should do what you said?

 

[peku006]

Hi
are you from Ukraine ?

 

[rreiss]

No, Israel.

 

[peku006]

Hi
please read this

 

[rreiss]

Hi,
Is it possible that if I save my login name and psw in IE , then some ,program could be able to hack in my router and change it pref. ? because I think that the first problem I had is that my Internet connection fall down, and when I got into my router's pref. I saw that all my Internet con. settings has been changed, and only after I changed a few things like my connection type (back to PPPoE) my Internet connection worked again.

I'm now reconfiguring my router to my ISP DHCP adress, I'll upate you after your next response.

Thanks,
Rotem

 

[peku006]

Hi

Is it possible that if I save my login name and psw in IE , then some ,program could be able to hack in my router and change it pref

Yes...settings on the router can be changed, including the DNS servers