Browser hijack !

kutuputu · Feb 25, 2007

Hello to all, i'm new here, keep up the good work.

When i'm in google or other search engine, click on link redirect me to another sites, like :
Robogold.biz, aicse.com etc...

I run a scan with avg antivirus, nothing. scan with : spycounter-nothing. spy sweeper-nothing. spy-bot - detect dns change and fixed but it's come again, i run also ATFcleaner also. i run avg antispyware, but it's a demo and want clean nothing, and also don't find nothing.

what to do

I run hijack in safe mode, and avg antivirus, here is the log of hijack after scaning with all software :

Logfile of HijackThis v1.99.1
Scan saved at 12:59:35, on 24/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - D:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe

Angelfire777 · Feb 25, 2007

Hi, welcome to Safer Networking Forums!

i run avg antispyware, but it's a demo and want clean nothing, and also don't find nothing.

Although AVG Antispyware is only a demo, it does clean for free for all the infected items it can find. The only downside of having a demo version is that after a few days, you will lose the realtime monitoring feature.

Next time, please post a HijackThis log taken from normal mode.
__________

*Did you install a program called WinPcap?

*I see you are running 2 antivirus applications at the same time. Please uninstall your other antivirus and only keep 1. Not only will 2 or more AV's slow down your pc's performance but it reduces your overall system security at the same time. However, if you paid for those programs, I recommend that you disable one of them and only have one with realtime monitoring on. Use Add/Remove Programs in the Control Panel to uninstall the Antivirus that you don't want to keep.

*We need to temporarily disable Spybot's TeaTimer, it may stop our fix.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

*You need To disable CounterSpy temporarily, it can stop our fix. Please Re-enable it after your system is clean.To disable CounterSpy:

Right Click on the CounterSpy Icon located in your system tray.
With your mouse, hover over Active Protection Status (This should be enabled)
A menu will slide out, then right click on Disable Active Protection

*We need to temporarily disable Spyware Terminator, it can stop our fix.

Open Spyware Terminator then Click on the "Real-time Protection" tab, leave the "Use Real-time Protection" checkbox empty and click on the "Save Changes" button.

Exit Spyware Terminator.
____________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67

Did you use Spybot to add the following policies? If not, please fix them.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

*You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again. After your computer restarts, a notepad report will immediately open, please post all the contents of that report.

Finally, please post a fresh HijackThis log, along with the contents of the report.

kutuputu · Feb 25, 2007

Replay logs !

Thank so much for your help !

I don't install software called "winpcad".
I disable "spybot, teat timer", and "spyterminatro", but process still remain in memory called : "sp_rsser.exe".
I Disable av.

I do scan and all above in normal mode like u said. here is the logs :

Logfile of HijackThis v1.99.1
Scan saved at 11:22:47, on 25/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\WINDOWS\System32\taskmgr.exe
D:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Misc files
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Other suspects
Directory of D:\WINDOWS\system32
{7F962C6D-B350-443A-88EF-E2811E0605BB}.exe

THANKS AGAIN.

Angelfire777 · Feb 25, 2007

Hi,

You ran an old version of fixwareout..Can you please delete your current copy then download a new one using one of the mirrors I posted then run it again then post the log..

kutuputu · Feb 25, 2007

Logs of fixwareout !

Thanks for your help.

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
Service: "Windows Management Service" = D:\WINDOWS\System32\dmcpy.exe

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3C76E8DAEA75-65DA-2974-BCDA-0F5966EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}442585860F5C-B319-4454-7DF4-B5A30F5C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8FFB6638834D-E15A-A474-3AD8-2CCE4E4E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6E9EFD90C022-7D28-13E4-642D-DA7C82FB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DDB0A98D82F3-6EEA-B364-D329-7E0C59BE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}596D4D27FB1A-5E9B-A614-99EC-1967C429{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0DA1E7E8392B-531B-79A4-028D-88918829{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ypcmd" Deleted
....
»»»»» Misc files.
D:\WINDOWS\system32\{7F962C6D-B350-443A-88EF-E2811E0605BB}.exe Deleted
D:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
D:\WINDOWS\Temp\dmcpy.ren 57873 08/28/2002

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"THGuard"="\"D:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Angelfire777 · Feb 25, 2007

Please post a fresh HijackThis log

kutuputu · Feb 25, 2007

Log of hijackthis.

Here is the new log, in normal mode.

I've also problem when i'm in some secure sites and insert username and password, i get "page can't displayed" error. is this related to this malware problem ?

Here is the log :

Logfile of HijackThis v1.99.1
Scan saved at 13:35:50, on 25/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\WINDOWS\system32\spoolsv.exe
D:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

Angelfire777 · Feb 26, 2007

I've also problem when i'm in some secure sites and insert username and password, i get "page can't displayed" error. is this related to this malware problem ?

No, it is not but it is possible that there are other infections present in you machine..
__________________

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

WinPcap

Reboot.
__________________

*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

*Download ATF Cleaner by Atribune

Do not use it yet.
__________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
__________________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Using Windows Explorer, find and delete these files:

D:\WINDOWS\Temp\dmcpy.ren

*Delete the following folder:

C:\Program Files\WinPcap

Empty your Recycle bin.
___________________

*Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.

Download ComboScan to your Desktop.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

On your next reply, please include a fresh HijackThis log, AVG antispyware log and the contents of comboscan.txt and supplementary.txt

kutuputu · Feb 27, 2007

Starts logs 1 from 3 and notes :

Hello, and thank you again for your support.

The logs are too long so i posted in 3 thread.

Some notes :

i can't change state to inactive resident shield - "demo version", guess i used ewido for 30 days.

i can't update so i download manually ful database, but when i run it on safe mode the line "last updat" - is never.

The service on hijack 023-"rpcapd"...keep on showing, he is not erase.

Still i don't apply for spywareterminator, and teatimer, they still disabled.

Here is the logs for hijackthis :

Logfile of HijackThis v1.99.1
Scan saved at 11:07:53, on 27/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\NOTEPAD.EXE
D:\WINDOWS\NOTEPAD.EXE
d:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

kutuputu · Feb 27, 2007

Start logs 2 from 3

Here is the log for avg antispyware and Supplementary :

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:45:09 27/02/2007

+ Scan result:

Here is the log for supplementary :

ComboScan v20070221.16 run by s on 2007-02-27 at 10:56:51
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------

-- System Information -----------------------------------------------------
Unable to create WMI object; error code: 0x8007042C

-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\s\Application Data
CLASSPATH=D:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=S-V72WZ5LUCG5KB
ComSpec=D:\WINDOWS\system32\cmd.exe
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\s
LOGONSERVER=\\S-V72WZ5LUCG5KB
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\PROGRA~1\Multi;D:\Program Files\Common Files\Ulead Systems\MPEG;D:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\;D:\Program Files\Microsoft SQL Server\80\Tools\Binn\;;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;D:\Program Files\Pinnacle\Shared Files;D:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\s\LOCALS~1\Temp
TMP=D:\DOCUME~1\s\LOCALS~1\Temp
USERDOMAIN=S-V72WZ5LUCG5KB
USERNAME=s
USERPROFILE=D:\Documents and Settings\s
windir=D:\WINDOWS

-- User Profiles ----------------------------------------------------------------

s (admin)
Administrator.S-V72WZ5LUCG5KB (admin)

-- Add/Remove Programs --------------------------------------------------
--> "D:\Program Files\Creative\CTSetup\CTSetup.exe"
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6504C153-A24C-4C10-A5B6-FE5CEF9141D9}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
עסקית --> D:\WINDOWS\iun6002.exe "D:\Program Files\iskit\irunin.ini"
Acoustica Mixcraft --> D:\PROGRA~1\Acoustica Mixcraft\UNWISE.EXE D:\PROGRA~1\Acoustica Mixcraft\INSTALL.LOG
Adobe GoLive CS2 English --> msiexec /i {46548E80-0409-0000-7E8A-45000F855001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> D:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fD:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AnalogX SayIt --> D:\Program Files\AnalogX\SayIt\sayitu.exe
Arcade Balls v1.21 --> "D:\Program Files\Arcade Balls\unins000.exe"
Arcade! Classic Arcade Pack 5.0 --> D:\Program Files\Arcade!\uninst.exe
ArcSoft PhotoImpression --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E142615E-5ED8-4511-9BF0-0284BFA25766}\Setup.exe" -l0x9 -uninst
ArcSoft VideoImpression 1.6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ED10343F-D30A-4200-9B00-665FC45F52B4}\Setup.exe" -l0x9 -uninst
Art Plus Download Assistant --> "D:\Program Files\Common Files\Art Plus Uninstall\apuinst3.exe" "D:\Program Files\Common Files\Art Plus Uninstall\APDlAssist.ui3"
Audacity 1.3.2 (Unicode) --> "D:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
AVG 7.5 --> D:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BaktiNet v1.0c --> D:\PROGRA~1\BaktiNet\UNWISE.EXE D:\PROGRA~1\BaktiNet\INSTALL.LOG
Broderbund Media Manager --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{26346FB6-4F69-453D-95CE-B6BA3A5382F8}\setup.exe" -l0x9 AddRem
BSPlayer --> "c:\Program Files\Webteh\BSplayer\uninstall.exe"
CamStudio --> D:\Program Files\CamStudio\uninstall.exe
Canon Camera Support Core Library --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon Internet Library for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A}
Canon MovieEdit Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1 --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "D:\Program Files\CCleaner\uninst.exe"
Chronotron Plug-in for Winamp/WMP 9 (remove only) --> "D:\Program Files\Chronotron Inc\Chronotron\uninst-chronotron.exe"
CIF USB CAMERA --> D:\WINDOWS\CleanDev.exe D:\WINDOWS\DC3110.txt
Corel Painter Essentials 3 --> MsiExec.exe /I{0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
Cubemaster Gold v4.3 --> D:\WINDOWS\iun6002.exe "D:\Program Files\Cubemaster Gold\irunin.ini"
Decks v1.20 --> c:\decks\Uninstal.exe
DeepBurner v1.8.0.224 --> "D:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "D:\Program Files\Astonsoft\DeepBurner\install.log"
DiamondCS APM --> d:\APM\uninstal.exe
Direct Show Ogg Vorbis Filter (remove only) --> "D:\WINDOWS\System32\OggDSuninst.exe"
DVD Photo Slideshow Pro 7.50 --> D:\Program Files\DVD Photo Slideshow Professional\uninst.exe
EasyCleaner --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
ExtractNow --> "c:\Program Files\ExtractNow\unins000.exe"
Faber Toys --> "D:\Program Files\Faber Toys\unins000.exe"
Fatman Adventures --> "D:\Program Files\Another Day\Fatman Adventures\unins000.exe"
Flash Saving Plugin --> "D:\Program Files\UnH Solutions\Flash Saving Plugin\unins000.exe"
FlaX --> D:\Program Files\Goldshell\fxuninst.exe
Free History Eraser --> "D:\Program Files\Free History Eraser\unins000.exe"
HijackThis 1.99.1 --> D:\HijackThis.exe /uninstall
Hypersonic 1.1.1 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\HYPERS~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\HYPERS~1\INSTALL.LOG
IconPackager --> D:\PROGRA~1\Stardock\Object Desktop\IconPackager\iconpackager.exe /uninstallwise
ICQ 5.1 --> c:\Program Files\ICQLite\ICQLiteUninstall.EXE
ICQ Toolbar --> regsvr32 /u /s "C:\program files\ICQToolbar\toolbaru.dll"
InstallRTC --> MsiExec.exe /X{200F584F-848D-4B6B-B1A1-C74D735F18A4}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
JavaScript Utility Suite v1.0 --> "D:\Program Files\JavaScript Utility Suite\unins000.exe"
jetAudio Basic --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly
JetPhoto Studio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{228D34A5-D186-495E-9DED-70A6CAB68B02}\setup.exe" -l0x9 -removeonly
jv16 PowerTools 1.4.1 --> "D:\Program Files\jv16 PowerTools\unins000.exe"
K-Lite Mega Codec Pack 1.37 --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
Kerio Personal Firewall 2.1.4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{51C8741C-4A91-42A6-B6A2-CB891F7398A1}\Setup.exe" -removeall
Lexmark X1100 Series --> D:\WINDOWS\System32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LimeWire 4.12.6 --> "D:\Program Files\LimeWire\uninstall.exe"
Live 6.0.3 --> D:\PROGRA~1\Ableton\Live 6.0.3\Install\UNWISE.EXE D:\PROGRA~1\Ableton\Live 6.0.3\Install\INSTALL.LOG
LQfix 2.1 --> "D:\WINDOWS\LQfix\unins000.exe"
Macromedia Director MX 2004 --> D:\PROGRA~1\Macromedia\Director MX 2004\UNWISE.EXE D:\PROGRA~1\Macromedia\Director MX 2004\install.log
Macromedia Dreamweaver MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX 2004 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> D:\WINDOWS\System32\Macromed\Flash\UninstFl.exe
Mario Forever v 2.16 ! --> C:\Buziol Games\Mario Forever\UnMario.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{000104E7-78E1-11D2-B60F-006097C998E7}
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{9084040D-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{9011040D-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{9085040D-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection D:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Midnite Motel 1.0 --> "D:\Program Files\MidniteMotel\unins000.exe"
Movie Maker Background Music Files --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
Mp3divider v0.9.1.8 --> "D:\Program Files\Mp3divider\uninstall.exe"
MSN Messenger 7.5 --> MsiExec.exe /I{DBB48ED2-03EC-11DA-BFBD-00065BBDC0B5}
Natto-Cat --> MsiExec.exe /I{21A99D22-12D2-4F03-B97E-8BD2C9891F61}
Network Password Recovery --> D:\WINDOWS\zipinst.exe /uninst "D:\Program Files\Network Password Recovery\uninst1~.nsu"
Outlook Express Q823353 --> D:\WINDOWS\oeuninst.exe D:\WINDOWS\INF\Q823353.inf
Oversight System Sentinel Demo --> MsiExec.exe /I{18BDFC02-DFB5-4E2A-B99B-80F94D2A2E21}
PACE System Files --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{28F58CDE-6241-4B11-8232-6A5D4FB06E8B}\Setup.exe" -l0x9 FromUninstall
Pacmania 3 --> c:\Program Files\Alawar\Pacmania 3\uninstal.exe
PC Camera (6009 CIF) --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5B3028F-6845-48A6-A46E-77A716B57537}\Setup.exe" -l0x9
PhotoFiltre --> "D:\Program Files\PhotoFiltre\Uninst.exe"
PictureViewer .EXE 1.1.0.227 --> "D:\Program Files\PictureViewer .EXE\unins000.exe"
Polyphonic Wizard v4 --> D:\PROGRA~1\Coding Workshop Polyphonic Wizard\UNWISE.EXE D:\PROGRA~1\Coding Workshop Polyphonic Wizard\INSTALL.LOG
QuickTime --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\Intel 32\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RegAlyzer 1.4 --> "D:\Program Files\Safer Networking\RegAlyzer\unins000.exe"
Riva FLV Encoder 2.0 --> "D:\Program Files\Riva\Riva FLV Encoder 2.0\unins000.exe"
Save Flash 3.0 --> D:\Program Files\Save Flash\uninst.exe
Security Task Manager 1.6e --> D:\Program Files\Security Task Manager\Uninstal.exe "D:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Serif PhotoPlus 6.0 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Shockwave --> D:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE D:\WINDOWS\system32\Macromed\Shockwave 8\Install.log
Smart Link 56K Voice Modem --> D:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Snood for Windows version 3.52-W --> "D:\Program Files\Snood\unins000.exe"
Sony ACID XPress 5.0a --> MsiExec.exe /X{12F4BE69-6614-41D3-BB3B-DF7F921DF2BB}
Sothink SWF Decompiler --> "D:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
Sound Blaster PCI128 Drivers --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{509291FD-CFC8-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9 /remove
Sports Car GT Demo --> D:\PROGRA~1\Electronic Arts\Sports Car GT Demo\UNWISE.EXE D:\PROGRA~1\Electronic Arts\Sports Car GT Demo\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator --> "D:\Program Files\Spyware Terminator\unins000.exe"
SpywareBlaster v3.5.1 --> "D:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWF To Image --> "D:\Program Files\SWF To Image\unins000.exe"
SWiSHmax --> D:\WINDOWS\unvise32.exe D:\Program Files\SWiSHmax\uninstal.log
Switch Uninstall --> D:\Program Files\NCH Swift Sound\Switch\uninst.exe
Tenant --> D:\WINDOWS\uninst.exe -f"D:\Program Files\Tenant\Tenant\DeIsL1.isu" -c"D:\Program Files\Tenant\Tenant\_ISREG32.DLL"
Terragen --> MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
The Print Shop --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}\setup.exe" -l0x9 anything
TightVNC 1.2.9 --> "D:\Program Files\TightVNC\unins000.exe"
Total Recorder 6.0 --> "D:\Program Files\HighCriteria\TotalRecorder\setup.exe" U
Total Sokoban --> "C:\Program Files\SuperSoft\Total Sokoban\uninstall.exe"
Transcribe! 7.40 --> "D:\Program Files\Transcribe!\unins000.exe"
TrojanHunter 4.6 --> "D:\Program Files\TrojanHunter 4.6\unins000.exe"
TweakNow RegCleaner --> "D:\Program Files\TweakNow RegCleaner\unins000.exe"
UnderCoverXP 1.10 --> "D:\Program Files\UnderCoverXP\unins000.exe"
Vertrix 2 --> D:\Program Files\Vertrix 2\SXUNINST.EXE
Virtual DJ - Atomix Productions --> D:\PROGRA~1\VirtualDJ\UNWISE.EXE D:\PROGRA~1\VirtualDJ\INSTALL.LOG
Vmule Kazaa Lite --> MsiExec.exe /I{7AD5B901-00B5-4518-8A97-77720FA7B780}
VNC Free Edition 4.1.2 --> "D:\Program Files\RealVNC\VNC4\unins000.exe"
WavePad Uninstall --> D:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Registry Guide 2003 --> "D:\Program Files\WinGuides\unins000.exe"
Windows XP Creativity Fun Packs - Windows Movie Maker 2 --> MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
Windows XP Winter Fun Pack for Windows Movie Maker 2 --> MsiExec.exe /I{FFC5C6DA-6BC0-47C1-9EC0-8E1A1294E4F7}
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
WinUHA 2.0 RC1 (2005.02.27) --> "D:\Program Files\WinUHA\unins000.exe"
Xara Webstyle 4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E7C036E2-C7E4-4964-9BDA-81973341930E}\setup.exe" -l0x9
Xara3D6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B3783869-5D14-4838-A042-910DF816D070}\setup.exe" -l0x9

-- End of ComboScan: finished at 2007-02-27 at 11:01:48 -------------------------

kutuputu · Feb 27, 2007

And here is the log for comboscan ( 3 parts )

Part 1 :

ComboScan v20070221.16 run by s on 2007-02-27 at 10:56:51
Computer is in Normal Mode.
--------------------------------------------------------------------------

Unable to create System Restore WMI object; error code: 0x8007042C
Performed disk cleanup.

-- HijackThis (run as s.exe) ----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:00:53, on 27/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
d:\comboscan.exe
D:\s.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

kutuputu · Feb 27, 2007

Comboscan part2 :

Part 2 :

-- HijackThis Fixed Entries (D:\\backups\) --------------------------------------

backup-20050426-055602-307 R3 - Default URLSearchHook is missing
backup-20050426-055602-843 O2 - BHO: (no name) - {FBE3AE8E-846C-3C23-32A7-FA6D9D56AC87} - D:\WINDOWS\atlzw.dll
backup-20050426-235007-993 O4 - HKCU\..\RunOnce: [Winsock2 driver] MMNGR32.EXE
backup-20050430-053928-870 O23 - Service: Port Reporter (PortReporter) - Unknown owner - D:\Program Files\PortReporter\portreporter.exe
backup-20050430-053928-937 O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
backup-20050430-135256-712 R3 - Default URLSearchHook is missing
backup-20050430-135256-737 O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - D:\PROGRA~1\Virtual Maid\Virtual Maid.dll
backup-20050430-135256-957 O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
backup-20050430-142724-165 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
backup-20050430-142724-176 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-200 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-232 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-258 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
backup-20050430-142724-350 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
backup-20050430-142724-463 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-474 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
backup-20050430-142724-581 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-709 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-716 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
backup-20050430-142724-749 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
backup-20050430-142724-802 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
backup-20050430-142724-848 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
backup-20050430-142724-955 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
backup-20050430-144748-943 O23 - Service: Port Reporter (PortReporter) - Unknown owner - D:\Program Files\PortReporter\portreporter.exe
backup-20050502-114136-161 O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
backup-20050502-114136-167 O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE
backup-20050502-114136-300 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http:///
backup-20050502-114136-345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
backup-20050502-114136-445 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
backup-20050502-114136-498 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20050502-114136-554 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\nntco.dll/sp.html#37049
backup-20050502-114136-565 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
backup-20050502-114136-740 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
backup-20050502-114136-915 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108834461855
backup-20050502-114137-696 O23 - Service: Port Reporter (PortReporter) - Unknown owner - D:\Program Files\PortReporter\portreporter.exe (file missing)
backup-20050504-015957-119 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.down.co.il
backup-20050504-044237-266 O4 - HKLM\..\Run: [WinampAgent] c:\1\Winamp\winampa.exe
backup-20050504-044237-636 O4 - HKLM\..\Run: [Startup Manager Scanner] D:\Program Files\Startup Mechanic\StartupMonitor.exe
backup-20060204-193041-229 O23 - Service: Win32Sr - Unknown owner - D:\WINDOWS\win32ssr.exe
backup-20060623-021853-436 O4 - HKLM\..\Run: [hgqhp.exe] D:\WINDOWS\System32\hgqhp.exe
backup-20060623-021853-851 O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
backup-20060623-021924-231 O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
backup-20060716-004503-204 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060716-004503-460 O4 - HKLM\..\Run: [gquzg.exe] D:\WINDOWS\System32\gquzg.exe
backup-20060716-004503-681 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060716-004503-856 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
backup-20060716-004504-109 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-115 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-158 O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-248 O17 - HKLM\System\CCS\Services\Tcpip\..\{EB2E38DA-03EF-409E-B6B8-DD59370A1351}: NameServer = 85.255.115.52,85.255.112.85
backup-20060716-004504-269 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20060716-004504-447 O17 - HKLM\System\CCS\Services\Tcpip\..\{FACDDB33-645D-4D8B-B2BD-287103037707}: NameServer = 85.255.115.52,85.255.112.85
backup-20060716-004504-532 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
backup-20060716-004504-981 O17 - HKLM\System\CCS\Services\Tcpip\..\{745AF652-3421-41D0-8696-D9D11E1642C4}: NameServer = 85.255.115.52,85.255.112.85
backup-20061121-082814-195 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.not.co.il/%s
backup-20061129-043214-271 O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
backup-20070220-125936-274 O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe
backup-20070220-130000-810 O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\System32\PSIService.exe
backup-20070220-150955-414 O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe
backup-20070220-150955-634 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20070223-193608-829 O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
backup-20070223-193609-284 O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Goop2/launcher.cab
backup-20070223-193610-307 O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.photo-kahana.co.il/XUpload.ocx
backup-20070223-193610-899 O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
backup-20070223-193611-475 O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
backup-20070223-193611-698 O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20070223-193611-701 O17 - HKLM\System\CCS\Services\Tcpip\..\{745AF652-3421-41D0-8696-D9D11E1642C4}: NameServer = 85.255.115.58,85.255.112.67
backup-20070223-193611-968 O17 - HKLM\System\CCS\Services\Tcpip\..\{EB2E38DA-03EF-409E-B6B8-DD59370A1351}: NameServer = 85.255.115.58,85.255.112.67
backup-20070223-212959-545 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070223-212959-586 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070225-111124-334 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070225-111124-654 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070225-111124-671 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070225-111124-863 O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
backup-20070225-111125-134 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
backup-20070225-111125-141 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
backup-20070225-111125-298 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20070225-111125-358 O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
backup-20070225-111125-561 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
backup-20070225-111125-600 O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
backup-20070225-111125-821 O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
backup-20070226-232713-399 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20070226-235909-403 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

kutuputu · Feb 27, 2007

Comboscan part 3 :

Part 3 :
-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "D:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 3dfxvs - System32\DRIVERS\3dfxvsm.sys (not found)
1 ASPI32 - System32\drivers\aspi32.sys (not found)
1 AVG Anti-Spyware Driver - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 Avg7Core (AVG7 Kernel) - D:\WINDOWS\system32\drivers\avg7core.sys
1 Avg7RsW (AVG7 Wrap Driver) - D:\WINDOWS\system32\drivers\avg7rsw.sys
1 Avg7RsXP (AVG7 Resident Driver XP) - D:\WINDOWS\system32\drivers\avg7rsxp.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys (not found)
1 AvgClean (AVG7 Clean Driver) - D:\WINDOWS\system32\drivers\avgclean.sys
2 AvgTdi (AVG Network Redirector) - D:\WINDOWS\system32\drivers\avgtdi.sys
3 basic2 - System32\DRIVERS\HSF_BSC2.sys (not found)
3 CCDECODE (Closed Caption Decoder) - System32\DRIVERS\CCDECODE.sys (not found)
3 CIF USB CAMERA Service (CIF USB CAMERA) - System32\DRIVERS\pfc027.sys (not found)
3 EverestDriver (Lavalys EVEREST Kernel Driver) - C:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt
2 Fallback - System32\DRIVERS\HSF_FALL.sys (not found)
2 Fsks - System32\DRIVERS\HSF_FSKS.sys (not found)
1 fwdrv (Kerio Personal Firewall Driver) - system32\Drivers\fwdrv.sys (not found)
2 GYNOQKJX - D:\WINDOWS\System32\gynoqkjx.isf (not found)
3 hsf_msft - System32\DRIVERS\HSF_MSFT.sys (not found)
2 IYMMHNPO - D:\WINDOWS\System32\iymmhnpo.xhy (not found)
2 K56 - System32\DRIVERS\HSF_K56K.sys (not found)
3 LVCap138 (LifeView LR138 Capture Driver) - System32\DRIVERS\lvcap138.sys (not found)
3 lvtuner (LifeView WDM TV Tuner) - System32\DRIVERS\lvtuner.sys (not found)
3 LVUSBSta (Logitech USB Monitor Filter) - System32\DRIVERS\LVUSBSta.sys (not found)
3 MarvinBus (Pinnacle Marvin Bus) - System32\DRIVERS\MarvinBus.sys (not found)
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys (not found)
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys (not found)
3 Mtlmnt5 - System32\DRIVERS\SLDRV\Mtlmnt5.sys (not found)
3 Mtlstrm - System32\DRIVERS\SLDRV\Mtlstrm.sys (not found)
3 NABTSFEC (NABTS/FEC VBI Codec) - System32\DRIVERS\NABTSFEC.sys (not found)
3 NdisIP (Microsoft TV/Video Connection) - System32\DRIVERS\NdisIP.sys (not found)
3 nm (Network Monitor Driver) - System32\DRIVERS\NMnt.sys (not found)
3 NPF (NetGroup Packet Filter Driver) - system32\drivers\npf.sys (not found)
3 NtApm (NT Apm/Legacy Interface Driver) - System32\DRIVERS\NtApm.sys (not found)
1 PCLEPCI - D:\WINDOWS\system32\drivers\Pclepci.sys
2 PfModNT - D:\WINDOWS\system32\PFMODNT.SYS
3 PID_0928 (Logitech QuickCam Express(PID_0928)) - System32\DRIVERS\LV561AV.SYS (not found)
0 PxHelp20 - System32\DRIVERS\PxHelp20.sys (not found)
0 RecAgent - System32\DRIVERS\SLDRV\RecAgent.sys (not found)
3 Rksample - System32\DRIVERS\HSF_SAMP.sys (not found)
3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - System32\DRIVERS\RTL8139.SYS (not found)
1 SASDIFSV - D:\Program Files\SUPERAntiSpyware\sasdifsv.sys
3 SASENUM - D:\Program Files\SUPERAntiSpyware\SASENUM.SYS
1 SASKUTIL - D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
3 sbpci (SB PCI Family Audio Driver (WDM)) - system32\drivers\sbpci.sys (not found)
3 SLIP (BDA Slip De-Framer) - System32\DRIVERS\SLIP.sys (not found)
3 Slntamr (SmartLink AMR_PCI Driver) - System32\DRIVERS\SLDRV\slntamr.sys (not found)
3 SlNtHal - System32\DRIVERS\SLDRV\Slnthal.sys (not found)
3 SlWdmSup - System32\DRIVERS\SLDRV\SlWdmSup.sys (not found)
3 SNCP106 (PC Camera (6009 CIF)) - System32\DRIVERS\sncp106.sys (not found)
2 SoftFax - System32\DRIVERS\HSF_FAXX.sys (not found)
1 sp_rsdrv2 (Spyware Terminator Driver 2) - D:\WINDOWS\system32\drivers\sp_rsdrv2.sys
3 streamip (BDA IPSink) - System32\DRIVERS\StreamIP.sys (not found)
2 SVKP - D:\WINDOWS\system32\SVKP.sys
3 SYMIDSCO - D:\PROGRA~1\COMMON~1\Symantec Shared\SymcData\ids-diskless\20060710.095\symidsco.sys (not found)
3 tj2knd5 (Terayon Cable Modem (NDIS)) - System32\DRIVERS\tj2knd5.sys (not found)
3 tj2kunic (Terayon Cable Modem (WDM)) - System32\DRIVERS\tj2kunic.sys (not found)
2 Tones - System32\DRIVERS\HSF_TONE.sys (not found)
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys (not found)
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys (not found)
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys (not found)
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS (not found)
2 V124 - System32\DRIVERS\HSF_V124.sys (not found)
0 viaagp (VIA AGP Bus Filter) - System32\DRIVERS\viaagp.sys (not found)
4 Voodoo3 - System32\DRIVERS\Voodoo3.sys (not found)
4 WS2IFSL (סביבת תמיכה של ספק שירות Windows Socket 2.0 Non-IFS) - D:\WINDOWS\system32\drivers\ws2ifsl.sys
3 WSTCODEC (World Standard Teletext Codec) - System32\DRIVERS\WSTCODEC.SYS (not found)
2 WXEINNFJ - D:\WINDOWS\System32\wxeinnfj.who (not found)

kutuputu · Feb 27, 2007

Part 4 and 5 combo scan :

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4 Adobe LM Service - "D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
4 Alerter - %SystemRoot%\System32\svchost.exe -k LocalService
3 ALG (Application Layer Gateway Service) - %SystemRoot%\System32\alg.exe
3 AppMgmt (Application Management) - %SystemRoot%\system32\svchost.exe -k netsvcs
3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2 AudioSrv (Windows Audio) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 AVG Anti-Spyware Guard - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 Avg7Alrt (AVG7 Alert Manager Server) - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2 Avg7UpdSvc (AVG7 Update Service) - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2 AVGEMS (AVG E-mail Scanner) - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
4 BITS (Background Intelligent Transfer Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 Browser (Computer Browser) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 CiSvc (Indexing Service) - %SystemRoot%\system32\cisvc.exe
3 ClipSrv (ClipBook) - %SystemRoot%\system32\clipsrv.exe
3 COMSysApp (COM+ System Application) - D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2 CryptSvc (Cryptographic Services) - %SystemRoot%\system32\svchost.exe -k netsvcs
2 Dhcp (DHCP Client) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 dmadmin (Logical Disk Manager Administrative Service) - %SystemRoot%\System32\dmadmin.exe /com
2 dmserver (Logical Disk Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 Dnscache (DNS Client) - %SystemRoot%\System32\svchost.exe -k NetworkService
4 ERSvc (Error Reporting Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 Eventlog (Event Log) - %SystemRoot%\system32\services.exe
4 EventSystem (COM+ Event System) - D:\WINDOWS\System32\svchost.exe -k netsvcs
3 FastUserSwitchingCompatibility (Fast User Switching Compatibility) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 helpsvc (Help and Support) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 HidServ (Human Interface Device Access) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 IDriverT (InstallDriver Table Manager) - "D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3 ImapiService (IMAPI CD-Burning COM Service) - D:\WINDOWS\System32\imapi.exe
2 lanmanworkstation (Workstation) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 LexBceS (LexBce Server) - D:\WINDOWS\system32\LEXBCES.EXE
2 LmHosts (TCP/IP NetBIOS Helper) - %SystemRoot%\System32\svchost.exe -k LocalService
3 Macromedia Licensing Service - "D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
4 MDM (Machine Debug Manager) - "D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
4 Messenger - %SystemRoot%\System32\svchost.exe -k netsvcs
4 mnmsrvc (NetMeeting Remote Desktop Sharing) - D:\WINDOWS\System32\mnmsrvc.exe
3 MSDTC (Distributed Transaction Coordinator) - D:\WINDOWS\System32\msdtc.exe
3 MSIServer (Windows Installer) - D:\WINDOWS\System32\msiexec.exe /V
3 NetDDE (Network DDE) - %SystemRoot%\system32\netdde.exe
3 NetDDEdsdm (Network DDE DSDM) - %SystemRoot%\system32\netdde.exe
3 Netlogon (Net Logon) - %SystemRoot%\System32\lsass.exe
3 Netman (Network Connections) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 Nla (Network Location Awareness (NLA)) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 NtLmSsp (NT LM Security Support Provider) - %SystemRoot%\System32\lsass.exe
3 NtmsSvc (Removable Storage) - %SystemRoot%\system32\svchost.exe -k netsvcs
3 ose (Office Source Engine) - D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2 PersFw (Kerio Personal Firewall) - D:\Program Files\Kerio\Personal Firewall\persfw.exe
2 PlugPlay (Plug and Play) - %SystemRoot%\system32\services.exe
2 PolicyAgent (IPSEC Services) - %SystemRoot%\System32\lsass.exe
2 ProtectedStorage (Protected Storage) - %SystemRoot%\system32\lsass.exe
4 ProtexisLicensing - D:\WINDOWS\System32\PSIService.exe
3 RasAuto (Remote Access Auto Connection Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 RasMan (Remote Access Connection Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 RDSessMgr (Remote Desktop Help Session Manager) - D:\WINDOWS\system32\sessmgr.exe
4 RemoteAccess (Routing and Remote Access) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 RemoteRegistry (Remote Registry) - %SystemRoot%\system32\svchost.exe -k LocalService
3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"
3 RpcLocator (Remote Procedure Call (RPC) Locator) - %SystemRoot%\System32\locator.exe
2 RpcSs (Remote Procedure Call (RPC)) - %SystemRoot%\system32\svchost -k rpcss
3 RSVP (QoS RSVP) - %SystemRoot%\System32\rsvp.exe
2 SamSs (Security Accounts Manager) - %SystemRoot%\system32\lsass.exe
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
3 SCardSvr (Smart Card) - %SystemRoot%\System32\SCardSvr.exe
4 Schedule (Task Scheduler) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 seclogon (Secondary Logon) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 SENS (System Event Notification) - %SystemRoot%\system32\svchost.exe -k netsvcs
4 SharedAccess (Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 ShellHWDetection (Shell Hardware Detection) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 SLService (SmartLinkService) - slmdmsr.exe
2 Spooler (Print Spooler) - %SystemRoot%\system32\spoolsv.exe
2 sp_rssrv (Spyware Terminator Realtime Shield Service) - D:\Program Files\Spyware Terminator\sp_rsser.exe
4 srservice (System Restore Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 SSDPSRV (SSDP Discovery Service) - %SystemRoot%\System32\svchost.exe -k LocalService
2 stisvc (Windows Image Acquisition (WIA)) - %SystemRoot%\System32\svchost.exe -k imgsvc
3 SwPrv (MS Software Shadow Copy Provider) - D:\WINDOWS\System32\dllhost.exe /Processid:{EFB03FCD-4298-45F4-A28F-EB6FA262C95A}
3 SysmonLog (Performance Logs and Alerts) - %SystemRoot%\system32\smlogsvc.exe
3 TapiSrv (Telephony) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 TermService (Terminal Services) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 Themes - %SystemRoot%\System32\svchost.exe -k netsvcs
4 TlntSvr (Telnet) - D:\WINDOWS\System32\tlntsvr.exe
4 TrkWks (Distributed Link Tracking Client) - %SystemRoot%\system32\svchost.exe -k netsvcs
2 UMWdf (Windows User Mode Driver Framework) - D:\WINDOWS\System32\wdfmgr.exe
4 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 upnphost (Universal Plug and Play Device Host) - %SystemRoot%\System32\svchost.exe -k LocalService
3 UPS (Uninterruptible Power Supply) - %SystemRoot%\System32\ups.exe
3 VSS (Volume Shadow Copy) - %SystemRoot%\System32\vssvc.exe
4 W32Time (Windows Time) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 WebClient - %SystemRoot%\System32\svchost.exe -k LocalService
2 winmgmt (Windows Management Instrumentation) - %systemroot%\system32\svchost.exe -k netsvcs
4 WmdmPmSN (Portable Media Serial Number Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 Wmi (Windows Management Instrumentation Driver Extensions) - %SystemRoot%\System32\svchost.exe -k netsvcs
3 WmiApSrv (WMI Performance Adapter) - D:\WINDOWS\System32\wbem\wmiapsrv.exe
4 wuauserv (Automatic Updates) - %systemroot%\system32\svchost.exe -k netsvcs
4 WZCSVC (Wireless Zero Configuration) - %SystemRoot%\System32\svchost.exe -k netsvcs

kutuputu · Feb 27, 2007

Part 5

-- Files created between 2007-01-27 and 2007-02-27 ------------------------------

2007-02-27 11:00:25 218112 --a------ D:\s.exe
2007-02-26 23:52:14 3968 --a------ D:\WINDOWS\System32\drivers\AvgAsCln.sys
2007-02-26 23:47:58 8491297 --a------ D:\avgas-signatures-full-current.exe
2007-02-26 23:39:07 229251 --a------ D:\avgas-signatures-current.exe
2007-02-26 21:20:47 452280 --a------ D:\comboscan.exe
2007-02-25 13:10:14 311296 --a------ D:\WINDOWS\System32\cdintf.dll
2007-02-25 13:10:06 212480 -----n--- D:\WINDOWS\System32\PCDLIB32.DLL
2007-02-25 13:10:06 855552 --a------ D:\WINDOWS\System32\Ltwvc12n.dll
2007-02-25 13:10:06 35328 --a------ D:\WINDOWS\System32\lttwn12n.dll
2007-02-25 13:10:06 388608 --a------ D:\WINDOWS\System32\ltkrn12n.dll
2007-02-25 13:10:06 165888 --a------ D:\WINDOWS\System32\ltimg12n.dll
2007-02-25 13:10:06 149504 --a------ D:\WINDOWS\System32\Lfpng12n.dll
2007-02-25 13:10:06 26624 --a------ D:\WINDOWS\System32\lfpcx12n.dll
2007-02-25 13:10:06 36352 --a------ D:\WINDOWS\System32\lfgif12n.dll
2007-02-25 13:10:05 130048 --a------ D:\WINDOWS\System32\ltfil12n.DLL
2007-02-25 13:10:05 207872 --a------ D:\WINDOWS\System32\ltefx12n.dll
2007-02-25 13:10:05 258560 --a------ D:\WINDOWS\System32\LTDIS12n.dll
2007-02-25 13:10:05 49664 --a------ D:\WINDOWS\System32\Lfwmf12n.dll
2007-02-25 13:10:05 141824 --a------ D:\WINDOWS\System32\lftif12n.dll
2007-02-25 13:10:05 20992 --a------ D:\WINDOWS\System32\lftga12n.dll
2007-02-25 13:10:05 36864 --a------ D:\WINDOWS\System32\lfpsd12n.dll
2007-02-25 13:10:05 19968 --a------ D:\WINDOWS\System32\lfpcd12n.dll
2007-02-25 13:10:05 19968 --a------ D:\WINDOWS\System32\lfitg12n.dll
2007-02-25 13:10:05 38912 --a------ D:\WINDOWS\System32\lfflc12n.dll
2007-02-25 13:10:05 341504 --a------ D:\WINDOWS\System32\LFCMP12n.DLL
2007-02-25 13:10:05 30720 --a------ D:\WINDOWS\System32\lfbmp12n.dll
2007-02-25 12:50:59 0 d-------- D:\Projects
2007-02-25 12:50:59 0 d-------- D:\Libs
2007-02-24 21:39:18 0 d-------- D:\Documents and Settings\s\Application Data\TrojanHunter
2007-02-24 20:01:58 0 d-------- D:\Program Files\TrojanHunter 4.6
2007-02-24 00:17:05 2062665 --a------ D:\spywareguardsetup.exe
2007-02-24 00:05:58 2566736 --a------ D:\spywareblastersetup351.exe
2007-02-24 00:01:41 0 d-------- D:\hosts
2007-02-23 21:07:47 0 d-------- D:\Documents and Settings\s\Application Data\F-Secure
2007-02-23 20:48:14 0 d-------- D:\Program Files\Oversight System Sentinel Demo
2007-02-23 20:45:59 0 d-------- D:\Program Files\F-Secure
2007-02-23 20:44:31 0 d-------- D:\Documents and Settings\All Users\Application Data\fssg
2007-02-23 20:35:00 67984152 --a------ D:\fs2007.exe
2007-02-23 20:21:48 23552 --a------ D:\MsnVirRem.exe
2007-02-23 20:21:02 51134 --a------ D:\combofix.exe
2007-02-23 17:24:40 0 d-------- D:\Program Files\Safer Networking
2007-02-23 16:31:41 5037072 --a------ D:\spybotsd14.exe
2007-02-23 16:30:14 898816 --a------ D:\regalyz.exe
2007-02-23 10:51:43 2794488 --a------ D:\spynomore.exe
2007-02-23 00:34:51 5743392 --a------ D:\SUPERAntiSpyware.exe
2007-02-22 23:42:56 50688 --a------ D:\ATF-Cleaner.exe
2007-02-22 23:39:18 1914 --a------ D:\WINDOWS\System32\tmp.reg
2007-02-22 23:38:13 79360 --a------ D:\WINDOWS\System32\swxcacls.exe
2007-02-22 23:38:13 40960 --a------ D:\WINDOWS\System32\swsc.exe
2007-02-22 23:38:13 288417 --a------ D:\WINDOWS\System32\SrchSTS.exe
2007-02-22 23:38:13 51200 --a------ D:\WINDOWS\System32\dumphive.exe
2007-02-22 23:38:12 135168 --a------ D:\WINDOWS\System32\swreg.exe
2007-02-22 23:38:12 53248 --a------ D:\WINDOWS\System32\Process.exe
2007-02-22 23:38:04 0 d-------- D:\SmitfraudFix
2007-02-22 21:39:23 0 d-------- D:\Documents and Settings\Administrator.******\Application Data\Spyware Terminator
2007-02-21 20:42:33 135936 --a------ D:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2007-02-21 20:42:33 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Spyware Terminator
2007-02-21 20:38:01 0 d-------- D:\Documents and Settings\s\Application Data\Spyware Terminator
2007-02-21 20:38:01 0 d-------- D:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-02-21 20:37:53 0 d-------- D:\Program Files\Spyware Terminator
2007-02-21 20:23:56 0 d-------- D:\Documents and Settings\s\Application Data\AVG7
2007-02-21 20:12:13 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-02-21 20:12:03 4960 --a------ D:\WINDOWS\System32\drivers\avgtdi.sys
2007-02-21 20:12:03 18432 --a------ D:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-21 20:12:03 3968 --a------ D:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 20:12:01 27776 --a------ D:\WINDOWS\System32\drivers\avg7rsxp.sys
2007-02-21 20:12:01 4224 --a------ D:\WINDOWS\System32\drivers\avg7rsw.sys
2007-02-21 20:11:56 839936 --a------ D:\WINDOWS\System32\drivers\avg7core.sys
2007-02-21 20:11:36 0 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2007-02-21 09:00:14 19170000 --a------ D:\avg75free_441a944.exe
2007-02-21 08:45:10 737625 --a------ D:\SmitfraudFix.exe
2007-02-20 16:22:32 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-02-20 16:21:35 0 d-------- D:\Program Files\SUPERAntiSpyware
2007-02-20 16:21:35 0 d-------- D:\Documents and Settings\s\Application Data\SUPERAntiSpyware.com
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\zts2.exe
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\System32\vcmgcd32.dll
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\System32\iifgfgf.dll
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\rundll16.exe
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\rundl132.dll
2007-02-20 16:09:23 0 d-a------ D:\WINDOWS\logo1_.exe
2007-02-20 16:00:51 128512 --a------ D:\WINDOWS\System32\T.COM
2007-02-20 16:00:50 128512 --a------ D:\WINDOWS\System32\TASKMGR.COM
2007-02-20 16:00:50 134144 --a------ D:\WINDOWS\REGEDIT.COM
2007-02-20 16:00:50 134144 --a------ D:\WINDOWS\R.COM
2007-02-20 15:40:55 0 d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2007-02-17 16:42:54 0 d-------- D:\Documents and Settings\s\Application Data\Apple Computer
2007-02-13 23:58:15 286720 -----n--- D:\WINDOWS\Setup1.exe
2007-02-13 23:57:51 0 d-------- D:\mister
2007-02-13 23:52:21 648351 --a------ D:\decks v1.exe
2007-02-13 23:45:40 0 d-------- D:\Program Files\NovaDSP
2007-02-13 23:45:28 1274779 --a------ D:\rifflite_setup.exe
2007-02-13 17:06:32 0 d-------- D:\Program Files\Transcribe!
2007-02-13 17:06:07 1455232 --a------ D:\xscsetup.exe
2007-02-13 16:58:07 0 d-------- D:\Program Files\AnalogX
2007-02-13 16:57:57 220569 --a------ D:\sayiti.exe
2007-02-13 16:47:18 0 d-------- D:\Program Files\d-lusion
2007-02-13 16:45:06 0 d-------- D:\Documents and Settings\s\Application Data\Cycling '74
2007-02-13 16:44:32 0 d-------- D:\AVdrum 021
2007-02-13 16:30:38 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Messenger_5.0.0482
2007-02-13 16:28:03 2211840 --a------ D:\dreamstation.exe
2007-02-13 16:24:21 0 d-------- D:\at2
2007-02-12 15:35:19 111397872 --a------ D:\acidpro60c-trial_enu.exe
2007-02-12 15:18:48 38122608 --a------ D:\acidxpress50a.exe
2007-02-06 09:02:28 0 --a------ D:\WINDOWS\System32\intr32.dll
2007-02-05 23:44:47 0 d-------- D:\GDT3
2007-02-05 23:32:15 107520 --a------ D:\Scratch_Me.exe
2007-02-05 23:28:02 1242112 --a------ D:\WINDOWS\SPT-667.exe
2007-02-05 23:28:02 26712 --a------ D:\WINDOWS\dmetmsf.dat
2007-02-05 23:28:02 14392 --a------ D:\WINDOWS\dmetmsa.dat
2007-02-05 23:28:02 92728 --a------ D:\WINDOWS\dmet.dat
2007-02-05 23:27:48 1242112 --a------ D:\SPT-667.exe
2007-02-05 23:22:03 3504975 --a------ D:\plsmst30.exe
2007-02-03 18:00:23 10452638 --a------ D:\movie_morpher_gold_cnt.exe
2007-02-03 17:29:51 0 d-------- D:\2xex1412
2007-02-03 17:17:24 0 d-------- D:\Program Files\Alwil Software
2007-02-03 17:08:57 12099848 --a------ D:\setupeng.exe
2007-02-03 17:08:24 0 d-------- D:\Program Files\ToniArts
2007-02-03 17:04:49 2951802 --a------ D:\EClea2_0.exe
2007-02-02 20:19:26 0 d-------- D:\Program Files\Liatro
2007-02-02 18:30:02 0 d-------- D:\frenzy
2007-02-02 18:25:06 0 d-------- D:\toubou
2007-02-02 10:24:54 348160 --a------ D:\WINDOWS\System32\MSVCR71.DLL
2007-02-02 10:24:53 499712 --a------ D:\WINDOWS\System32\MSVCP71.DLL
2007-02-02 10:24:51 1060864 --a------ D:\WINDOWS\System32\MFC71.DLL
2007-02-02 10:22:26 89088 --a------ D:\WINDOWS\System32\atl71.dll
2007-02-02 10:13:52 33340 --a------ D:\WINDOWS\System32\dbmsqlgc.dll
2007-02-02 10:13:52 24576 --a------ D:\WINDOWS\System32\dbmsgnet.dll
2007-02-02 10:10:23 765952 -----n--- D:\WINDOWS\System32\msvcp71d.dll
2007-02-02 10:10:20 544768 -----n--- D:\WINDOWS\System32\msvcr71d.dll
2007-02-02 09:38:59 0 d-------- D:\SmartSound Software
2007-02-02 09:34:07 171008 --a------ D:\WINDOWS\System32\drivers\MarvinBus.sys
2007-02-02 09:31:46 57344 --a------ D:\WINDOWS\System32\MFC71ENU.DLL
2007-02-02 09:12:59 0 d-------- D:\Program Files\Common Files\Download Manager
2007-02-01 01:16:31 0 d-------- D:\Program Files\Windows Media Bonus Pack for Windows XP
2007-02-01 01:14:59 6 --a------ D:\Documents and Settings\s\Application Data\mmrpzlic.dat
2007-01-31 19:16:44 0 d-------- D:\Program Files\Temp
2007-01-31 19:00:56 220 ---hs---- D:\WINDOWS\dwin.sys
2007-01-31 19:00:38 0 d-------- D:\Program Files\TM2V2
2007-01-31 17:19:37 0 d-------- D:\MySlideshow
2007-01-31 14:50:27 0 d-------- D:\Program Files\DVD Photo Slideshow Professional
2007-01-31 14:43:25 0 d-------- D:\Program Files\Slideshow pro
2007-01-31 14:39:53 0 d-------- D:\Program Files\mresreg
2007-01-30 07:20:02 16384 --a------ D:\WINDOWS\System32\FileOps.exe
2007-01-30 07:20:01 0 d-------- D:\WINDOWS\System32\Adobe
2007-01-30 00:07:59 0 d-------- D:\icetemplates.com_free006_ecommerce
2007-01-30 00:06:07 0 d-------- D:\sample_osc
2007-01-29 12:54:27 0 d-------- D:\Program Files\Popims
2007-01-28 13:51:44 0 d-------- D:\Documents and Settings\s\Application Data\Sony
2007-01-28 13:50:08 12580696 --a------ D:\mm20enu.exe
2007-01-28 13:23:15 69556081 --a------ D:\moviestudio60b-trial_enu.exe
2007-01-28 01:40:25 0 d-------- D:\logos1
2007-01-27 17:47:25 0 d-------- D:\template53
2007-01-27 13:14:40 0 d-------- D:\template64
2007-01-27 13:14:10 0 d-------- D:\template49

-- Find3M Report ----------------------------------------------------------------

2007-02-26 23:52:06 0 d-------- D:\Program Files\Grisoft
2007-02-25 13:10:05 0 d-------- D:\Program Files\Common Files\Broderbund
2007-02-25 13:10:04 0 d--h----- D:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-25 13:09:28 0 d-------- D:\Program Files\Web Publish
2007-02-25 13:04:33 0 d-------- D:\Program Files\Broderbund
2007-02-25 12:13:56 494582 --a------ D:\Fixwareout.exe
2007-02-24 22:08:49 0 d-------- D:\Program Files\SpywareGuard
2007-02-24 00:08:09 0 d-------- D:\Program Files\SpywareBlaster
2007-02-20 16:20:30 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-20 15:38:43 0 d-------- D:\Documents and Settings\s\Application Data\Adobe
2007-02-20 15:38:11 0 d-------- D:\Program Files\VirtualDJ
2007-02-20 15:37:29 0 d-------- D:\Program Files\Common Files\Adobe
2007-02-20 15:37:18 0 d-------- D:\Program Files\Art Plus
2007-02-20 15:37:16 0 d-------- D:\Program Files\Corel
2007-02-16 21:17:10 0 d-------- D:\Documents and Settings\s\Application Data\Ableton
2007-02-16 21:14:23 0 d-------- D:\Program Files\Ableton
2007-02-16 03:09:14 0 d-------- D:\Documents and Settings\s\Application Data\Audacity
2007-02-15 13:25:10 0 d-------- D:\Documents and Settings\s\Application Data\Domain Name Analyzer Pro v4.0
2007-02-13 15:56:53 0 d-------- D:\Program Files\Lexmark X1100 Series
2007-02-12 21:31:00 0 d-------- D:\Program Files\Sony
2007-02-12 21:26:42 0 d-------- D:\Program Files\Sony Setup
2007-02-04 17:54:01 0 d-------- D:\Program Files\Smoke Attack 2<SMOKEA~2>
2007-02-04 09:19:35 0 d-------- D:\Program Files\Show.kit 2.1
2007-02-03 20:31:01 0 d-------- D:\Program Files\Morpheus
2007-02-03 17:12:59 0 d-------- D:\Program Files\Amara - Flash Intro and Banner Builder
2007-02-03 17:10:00 0 d-------- D:\Program Files\Jasc Software Inc
2007-02-03 16:58:07 0 d-------- D:\Program Files\IncrediMail
2007-02-02 11:07:26 0 d-------- D:\Program Files\Pinnacle
2007-02-02 10:55:36 1852 --a------ D:\WINDOWS\System32\d3d9caps.dat
2007-01-28 13:51:28 0 d-------- D:\Program Files\Movie Maker<MOVIEM~1>
2007-01-26 23:49:23 0 d-------- D:\Program Files\Windows Media Components
2007-01-26 23:47:58 0 d-------- D:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-01-26 23:43:35 141606188 --a------ D:\uvs10_tbyb_(e)_na.exe
2007-01-23 15:22:19 0 d-------- D:\Program Files\Shockwave.com
2007-01-21 14:39:18 4704 --ahs---- D:\WINDOWS\System32\KGyGaAvL.sys
2007-01-21 14:04:09 0 d-------- D:\Documents and Settings\s\Application Data\Corel
2007-01-21 14:03:09 88 -r-hs---- D:\WINDOWS\System32\84C07846D1.sys
2007-01-21 12:57:35 0 d---s---- D:\Documents and Settings\s\Application Data\Microsoft<MICROS~1>
2007-01-17 18:45:31 0 d-------- D:\Documents and Settings\s\Application Data\Softnik Technologies
2007-01-17 17:07:35 0 d-------- D:\Program Files\Softnik Technologies
2007-01-15 17:20:53 56 -r-hs---- D:\WINDOWS\System32\D14678C084.sys
2007-01-15 12:54:32 0 d-------- D:\Program Files\Common Files\Adobe Systems Shared
2007-01-08 09:28:06 0 d-------- D:\Program Files\CoffeeCup Software
2007-01-08 09:10:13 6458671 --a------ D:\CoffeeFormBuilder50.exe
2007-01-07 23:05:09 18481128 --a------ D:\Babylon6_setup_heb_eng_heb_oxford.exe
2007-01-05 19:15:30 0 d-------- D:\Documents and Settings\s\Application Data\Macromedia<MACROM~1>
2007-01-05 19:11:32 0 d-------- D:\Program Files\Common Files\SourceTec
2007-01-05 19:11:28 0 d-------- D:\Program Files\SourceTec
2007-01-05 19:05:07 0 d-------- D:\Program Files\DComSoft
2007-01-05 19:04:46 1360574 --a------ D:\SWF Picture Extractor.exe
2007-01-04 12:26:38 5292032 --a------ D:\MixVibes6demo.exe
2006-12-30 22:47:46 0 d-------- D:\Program Files\SpacialAudio
2006-12-30 13:44:11 0 d-------- D:\Program Files\Acoustica Mixcraft
2006-12-27 12:16:04 0 d-------- D:\Program Files\Microsoft.NET
2006-12-21 12:54:53 10083348 --a------ D:\WebSmartzTrialEdition.EXE
2006-12-20 03:38:31 131584 --a------ D:\WINDOWS\System32\SpoonUninstall.exe
2006-12-20 03:38:24 749568 --a------ D:\WINDOWS\System32\swfgen.dll
2006-12-09 16:01:36 6538503 --a------ D:\3drecg2.exe
2006-12-08 02:11:49 4469879 --a------ D:\amarafibb.exe
2006-11-28 19:56:18 1740 --a------ D:\WINDOWS\System32\d3d8caps.dat

-- Registry Dump ----------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"THGuard"="\"D:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"="D:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Babylon Client"="D:\\Program Files\\Babylon\\Babylon-Pro\\Babylon.exe -AutoStart"
"Lexmark X1100 Series"="\"D:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^s^Start Menu^Programs^Startup^Netvision Cable Connect.url]
"backup"="D:\\WINDOWS\\pss\\Netvision Cable Connect.urlStartup"
"location"="Startup"
"item"="Netvision Cable Connect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5BACC17E-BDF7-405B-BC68-ECB506395118}"="NSIS Media Extension"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of ComboScan: finished at 2007-02-27 at 11:01:48 -------------------------

Angelfire777 · Feb 28, 2007

Hi,

You seem to have been reinfected by wareout..

*You need To disable Trojan Hunter temporarily, it can stop our fix. Please Re-enable it after your system is clean.
Before we start please go to TrojanHunter Guard in the lower right corner of your screen. It is a lightblue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select "Settings." Uncheck "Load at Startup" and "Enabled". Make sure that the program, TrojanHunter itself, is also closed/not running.

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
____________________

*You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again. After your computer restarts, a notepad report will immediately open, please post all the contents of that report.

*Now lets check some settings on your system.
(2000/XP) Only

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category, otherwise double click on Network Connections.
Then right click on your default connection, usually Local Area Connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.

That option might not be avaiable on some systems

Next go to Start > Run > type cmd and hit OK

type ipconfig /flushdns

then hit enter, type exit hit enter.
(that space between g and / is needed)

Finally, please post a fresh HijackThis log, along with the contents of the report.

kutuputu · Feb 28, 2007

Logs

Thak again for your help.

Log of hijack this :

Logfile of HijackThis v1.99.1
Scan saved at 15:00:27, on 28/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

Log of Fixwareout :

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Angelfire777 · Mar 1, 2007

*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe . Then,cut nad paste that file to the new folder you created.
_______________

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet.

Download CWShredder from here, install it, check for updates but again, don't use it yet.
_______________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

*Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

*Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Reboot to normal mode.

I also noticed that your AVG Antispyware log was not posted correctly..You only posted the first part of the log then it was cut off..On your next reply, please post a fresh HijackThis log, AVG Antispyware log and the aboutbuster log.

kutuputu · Mar 1, 2007

About

Thanks again.

My redirections is fixed, and i don't have any hijack...
I install again IE6, and now i can connect to secure sites.

Continue doing the fix process ?

I open the REG files that u told me to add to the registery, and some of the lines was "jibrish"...still ok to add it ?

Angelfire777 · Mar 2, 2007

Hi,

Yes please continue with the instructions

Browser hijack !

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

New member

New member

New member

New member

New member

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

Retired Security Volunteer