it became a big problem.... help!!!!

Status
Not open for further replies.
R

Ransimch

New member
hello,

i got a malware, at first it didnt do much harm. the only thing that was wrong is that the explorer windows were shutting down by themselves. and there was a message (on a balloon at the corner of the screen) that says that i was infected by spyware.

my norton didnt find anything

than i read and did what is written at "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

i reboot my computer to safe mode fixed some things with spybot and when i rebooted it again to windows i found out that i can not connect to the net.
(im writing from another computer)

please consider that when you're helping me.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:33, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mainconcept\PVR\PvrLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Mainconcept\PVR\mcavserv.exe
C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6962 bytes

KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 2:07:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/02/2008
Kaspersky Anti-Virus database records: 585247


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 58529
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 00:26:14

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temp\uninst.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\WN7R6W5D\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\55BB33B1.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cg skipped

C:\Program Files\Norton AntiVirus\Quarantine\571F1429.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5BCB69DE.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5F603114.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP104\A0010365.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010429.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\launcher.ocx Infected: not-a-virus:AdWare.Win32.I2ISolutions.b skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\WINDOWS\Temp\iottem.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\change.log Object is locked skipped

Scan process completed.


i hope to hear from u fast....

thanks a lot

ransimch.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Not quite sure about this one, but I will do my best to help. Have you been able to get online yet? You may wish to ask your Internet Service Provider for help, this junk may have changed setting, here is information about at least one of the trojans I see:
http://www.bleepingcomputer.com/startups/braviax-21759.html
http://www.prevx.com/filenames/954251374095121964-0/BRAVIAX.EXE.html
among other problems it causes are this:
Can communicate with other computer systems using HTTP protocols
Click to expand...

C:\Program Files\Norton AntiVirus\Quarantine\ <<< delete the contents of the NAV Quarantine folder
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506

I need to collect some information first, You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. If you can not get online, bring the tool to this computer from another computer.


1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

(if that link is still down, use this one)
http://www.scanwith.com/download/ATF_Cleaner.htm

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

(delete files in red)

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\Downloaded Program Files\launcher.ocx

C:\WINDOWS\system32\winivstr.exe

C:\WINDOWS\Temp\iottem.dll

C:\WINDOWS\trashicon.exe

C:\WINDOWS\wndsk.dll

C:\Documents and Settings\ran simchas\Local Settings\Temp\ <<< contents

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\ <<< contents

(ATF-Cleaner will clean those also, that is a double check for junk)

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the C:\rapport.txt and a new HJT log. Add any comments you think will help.

Thanks
 
Last edited:
Hello,

Thanks lot for the reply, it seems u all very busy….
While I waited I did some things that improved the situation.
I used Microsoft windows malicious software removal tool – feb.2008 – and it removed something called ‘braviax’ – as u mentioned.
I also used ad-aware removed things – but I don’t remember the names.

Anyhow I think im not cleaned yet,
I’m still facing the problem of my explorer windows closing down by themselves.
Non of the following programs find anything: Norton, spybot s&d, ad-aware – all updated.

(the net connection had nothing to do with the malware:)).

Im adding new reports of kaspersky and HJT

Again, thanks for the reply!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe
C:\Program Files\Mainconcept\PVR\PvrLauncher.exe
C:\Program Files\Mainconcept\PVR\mcavserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7153 bytes



KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 2:58:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/03/2008
Kaspersky Anti-Virus database records: 591825


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 66592
Number of viruses found 6
Number of infected objects 21
Number of suspicious objects 0
Duration of the scan process 00:27:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-01_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\MSHist012008030120080302\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temp\uninst.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\WN7R6W5D\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\041D7EA4.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\09680ED1.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\31BA7C71.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\36A4210A.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\55BB33B1.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cg skipped

C:\Program Files\Norton AntiVirus\Quarantine\571F1429.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5BCB69DE.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\5F603114.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\Program Files\Norton AntiVirus\Quarantine\6FBD130F.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP104\A0010365.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010429.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010752.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0011750.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP108\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\launcher.ocx Infected: not-a-virus:AdWare.Win32.I2ISolutions.b skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\WINDOWS\Temp\iottem.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\WINDOWS\Temp\Perflib_Perfdata_640.dat Object is locked skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
Please follow the directions that I posted, if something is not there when you looks for it because you removed it with another tool, pass over that instruction. Let me also suggest that all forums are swamped and we manage to keep it at around four days here, if you do not have the time to wait for assistance, my suggestion would be not to post.

To recap, once the instructions I posted are completed, post only this:
Restart and post the C:\rapport.txt and a new HJT log. Add any comments you think will help.
Click to expand...

and I will work from that point. Once I see you intend to continue with this post, I will remove the last posts you made to lessen the confusion.

Thanks...Phil
 
hello,

i tried to do everythimg you asked, but i had problems....
i couldn't delete the file: wndsk.dll. it says that it may be protected or in use...

another thing that happened is that after i deleted the other 'red' files i couldn't open any program including atf-cleaner, HJT or explorer, when i try to open a program i get window who asks me: "choose the program you want to use to open this file with" the name of the file (IEXPLORER.EXE, for exmple) and a list of the programs on my pc. but i cant open them.

other than that i have new file on my desktop called delself.bat the type file is MS-DOS Batch File, i dont know what it is....

here is the report file i did before i deleted the files:

SmitFraudFix v2.299

Scan done at 17:58:01.48, Sun 03/02/2008
Run from D:\…‰˜…‘‰\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ran simchas


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ran simchas\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

i hope i didnt deleted something too important....

thanks a lot

ransimch.
 
I really don't know, it is not usual for folks who ask for help, to be running other tools in the middle of the fix as you were. I need to see a HJT log, please post one.

Thanks
 
Here are the items I posted in RED for deletion:
winivstr.exe
http://fileinfo.prevx.com/adware/qq0e68105981239-WINI44344963/WINIVSTR.EXE.html

braviax.exe <<< appears you removed this one on your own
http://www.bleepingcomputer.com/startups/braviax-21759.html

launcher.ocx
C:\WINDOWS\Downloaded Program Files\launcher.ocx ------> AdWare.Win32.I2ISolutions.b skipped

winivstr.exe
http://fileinfo.prevx.com/adware/qq0e68105981239-WINI44344963/WINIVSTR.EXE.html

iottem.dll
http://www.fileresearchcenter.com/I/IOTTEM.DLL-12115.html

trashicon.exe
http://www.fileresearchcenter.com/T/TRASHICON.EXE-12118.html

wndsk.dll
http://fileinfo.prevx.com/adware/qq8bb8105764013-WNDS44308174/WNDSK.DLL.html

As you can see they are all malware. Now if you deleted something else I have no way of knowing. Look in the Recycle Bin on the Desktop, it may be there?

Thanks
 
hi,

first i must say that since you answered me i'm doing only what you'r asking me to, i know it is important to fallow the exact orders.
what i did during waiting for an answer was only because my computer was almost dead - i thought im going to format it. and i'm a student - i need my computer.
i hope we can start all over again.

so, i deleted only what you told me to and still couldnt open any program. i restored all the files at the recycle bin and and as i did it i managed to use programs.

so now all the bad files are back on my computer but i can add HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:14, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6370 bytes

waiting for further instructions...

thanks,

ransimch.
 
OK, thanks for this HJT log, let me show you something. This log looks clean of malware and it was run at this time:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:14, on 02/03/2008
Could you tell me where you are located that the computer clock would show: 23:45:14? Is there an issue with your computer clock? I am at 04:56 EST in West Florida.

The HJT log you posted first showed this time:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:33, on 28/02/2008

The Kaspersky scan:
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 2:07:54 PM

The information you posted Yesterday, 08:37 in post #3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
is from more than a month ago?

Kaspersky:
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 2:58:39 PM

this HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:14, on 02/03/2008

Shows this item: O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
which is optional removal, see this: http://www.castlecops.com/startuplist-5306.html

and no other malware. Please post a new Kaspersky scan using these setting:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. I need to know exactly what your malware issues are.

If you must store old HJT log, I suggest you store them where they will not get posted to your topic.

Thanks
 
Hello,
About your question, we do found very far from each other, im located far at the middle east, that’s why our time is so different – my clock is fine.
I didn’t removed O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE – for now…

My only problem right now is that my explorer windows shuts down by themselves from time to time. There is no regularity in it, it can happened some times in a row, or happened once in a while. Anyhow it is really annoying….

Here is the kaspersky log

KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 4:19:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 546862


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 63558
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:27:19

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Application Data\Babylon\log_file.txt Object is locked skipped

C:\Documents and Settings\ran simchas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ran simchas\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ran simchas\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP105\A0010427.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP109\A0011984.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP111\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8DF8E9B5-59AD-4947-AFB4-26BABE2A0CF9}.crmlog Object is locked skipped

C:\WINDOWS\RTacDbg.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped

C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\iottem.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

C:\WINDOWS\trashicon.exe Infected: Trojan-Dropper.Win32.Agent.bno skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wndsk.dll Infected: Trojan-Clicker.Win32.Agent.ss skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{DABC669D-0CE5-4A9B-844A-6A79F718C73C}\RP111\change.log Object is locked skipped

Scan process completed.

waiting for further instructions...

ransimch
 
Thanks for returning your Scan Results, here is what KOS shows:

C:\WINDOWS\Temp\iottem.dll ------> Trojan-Clicker.Win32.Agent.ss

C:\WINDOWS\trashicon.exe ------> Trojan-Dropper.Win32.Agent.bno

C:\WINDOWS\wndsk.dll ------> Trojan-Clicker.Win32.Agent.ss

I understand you had an issue before when you removed some bad files, so here are tools that can scan these files which I will highlite in red, to assure you they are malware.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Use one or more until you are satisfied, it may be the infections have corrupted a valid Windows files, that being the case, this information will show you how to fix that:
http://dwightblackburn.com/winxp/

Once they have been deleted, empty the Recycle Bin on the Desktop and restart the computer. You have a few infected System Restore files, follow these directions to clean System Restore:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

For your issues with Internet Explorer, I suggest you update to the newest version which will also give you some additional security protection. You can download it at Windows Updates or you can find it here:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Thanks for explaining about the time difference, that covers all but this one:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
is from more than a month ago?

Let me know how it goes, I will post this information for you now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
hello,

i'm having problems.....

i deleted iottem.dll - thats the good part

but after i deleted trashicon.exe i bumped again into the nonability of opening any programs like before - so i restored it. i know its a bad file, but i cant delete it unless i know how to solve the problem of opening progrms.

when i try to delete wndsk.dll i get a message:
access is denied. make sure the disc is not full or write-protected and tht the file is not currently in use.

i also tried to do the System File Check Utility but i couldnt make it run. i did the registry changes (both of them) as mentioned at Marc Liron's article - but it keeps askin me for the winXP CD.

about this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34:19, on 01/03/2008
maybe you r just reading it the wrong way - it means march 01, 2008.

summing all up i still have two malware files that we know about them and having problems with deleiting it.

thanks a lot for your efforts :bigthumb:

waiting for your response....

ransimch.
 
OK Ransimch, I think you are right, I was looking at that date wrong:sad:

System File Checker first...what do you mean you could not make it run? That is a Windows tool, it may be the Program issue and not being able to run SFC are connected and a repair of the operating system my be needed?

When you click Start > Run > and then type "sfc /scannow" without the quotes and with a space after the c and the front slash, what happens? You understand if it does run, it take a while to scan all of your protected files and if it finds a problem it will look for a file to replace the missing or corrupt one with. If no file is available you will be asked for your Windows CD. This is normal, just insert the CD, the file that is needed is on that CD.

Let's look at this file: C:\WINDOWS\trashicon.exe
Here is the Google: http://www.google.com/search?hl=en&q=trashicon.exe+&btnG=Google+Search
I have not been able to find anything good about that file, but lets have it checked.
Click this link: http://www.bleepingcomputer.com/submit-malware.php
Put this information in the top information box:
http://forums.spybot.info/showthread.php?t=24945
Then "Browse" to that file: C:\WINDOWS\trashicon.exe
Submit this one also: C:\WINDOWS\wndsk.dll
Make sure you give them a contact to send the information to and share it with me in your topic when you receive it.

See this: http://www.google.com/search?hl=en&q=wndsk.dll+&btnG=Google+Search
Not much doubt the file is bad: C:\WINDOWS\wndsk.dll
Windows does not know a bad file from a good file (it probably should) it only knows if the file is in use or not. If it is in use, try looking in Task Manager and if it is there under "Processes", end process on it. You can also use this tool in HJT:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTProcessManager

Another possiblity is to use this tool:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
and see if the file can be deleted on reboot.

You can start looking here for answers to the problem:
http://www.google.com/search?hl=en&q=can't+open+Programs&btnG=Google+Search
or here: http://www.kellys-korner-xp.com/xp_tweaks.htm

Keep me posted on your progress.

Thanks...Phil
 
hello phil,
how do you do?

System File Checker first:
i don’t have an original cd, and it looks like the cd I have (the cd wich i installed my win from) is not enough.
As I said I did what the article said including:
Copying the folder i386
And changing the registry (both of them)
l followed the exact orders.
and I still get the message to insert the cd as the pictures at the article shows.

I didn’t get an answer about the trashicone.exe yet, I’ll inform you when I will.

Wndsk.dll - I cant find it under Processes in task manager.
I failed deleting it with both HJT tools - it seems very stubborn.
The message I get (when I try to delete it just by clicking delete):
“Cannot delete wndsk: access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.”

thanks a LOT.

ransimch.
 
hello,

i went into safe mode and succeeded to delete wndsk.dll, i even deleted it from recycle bin. i rebooted it again to a regular mode and guess what ????
it came back, its still here.....

im getting desperate.....

add there is still, of course, the trshicon.exe problem.

in the mean time i must inform you that i am getting from time to time a messge from norton about viruses that r automatically deleted: kumm.exe, qkksf.exe, trayex.exe, ens.exe.

i still didnt get nswer about trasicon.exe, though i wrote my email

thanks
 
something really strange happened right now:
a notepaat opend up - file name: untitled.
and it starts writing to me:
helo' i'm keeping my eye on you:)



what the hell is it?????
 
This is always an option for you:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

what the hell is it?????
Click to expand...
<<< it does not take even a smart hacker to add a script like this to the infection.

If you wish to continue trying to clean the junk, let's start by checking for a rootkit infecxtion:

Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!

Let's have combofix take a look also, delete any old copies of combofix you may have onboard.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and the log from the BlackLight scan.

Thanks

Thanks
 
hello phil....

if you think there are still things to do, as you wrote, i'll try to do it and get cleaned.

so here is what you asked for:
(i'll just note that norton made it hard on me completing combofix check, but i managed )

03/06/08 19:21:52 [Info]: BlackLight Engine 1.0.67 initialized
03/06/08 19:21:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/06/08 19:21:52 [Note]: 7019 4
03/06/08 19:21:52 [Note]: 7005 0
03/06/08 19:22:08 [Note]: 7006 0
03/06/08 19:22:08 [Note]: 7022 0
03/06/08 19:22:08 [Note]: 7011 888
03/06/08 19:22:08 [Note]: 7026 0
03/06/08 19:22:08 [Note]: 7026 0
03/06/08 19:22:09 [Note]: FSRAW library version 1.7.1024
03/06/08 19:24:12 [Note]: 7007 0
___________________________________________________

ComboFix 08-03-05.3 - ran simchas 03/06/2008 19:47:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.646 [GMT 2:00]
Running from: C:\Documents and Settings\ran simchas\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\#SharedObjects\39VSC5N8\iforex.com
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\#SharedObjects\39VSC5N8\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\ran simchas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\system32\~.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm




((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 17:18 916,072 ----a-w C:\fsbl.exe
2008-03-06 16:18 32,256 ----a-w C:\WINDOWS\wndsk.dll
2008-03-06 09:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 21:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-29 21:48 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-28 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 21:07 --------- d-----w C:\Program Files\Lavasoft
2008-02-28 21:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 12:39 --------- d-----w C:\Program Files\Trend Micro
2008-02-28 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-28 10:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 10:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 09:32 --------- d-----w C:\Program Files\SnapStream Media
2008-02-28 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SnapStream
2008-02-27 00:33 --------- d-----w C:\Program Files\ATI Multimedia
2008-02-26 22:20 19,789 ----a-w C:\WINDOWS\tumopyhyg.bat
2008-02-26 22:20 18,255 ----a-w C:\WINDOWS\zekogu.com
2008-02-26 22:20 17,660 ----a-w C:\WINDOWS\system32\azoxyvozam.scr
2008-02-26 22:20 15,963 ----a-w C:\WINDOWS\ronifuq.bat
2008-02-26 22:20 14,509 ----a-w C:\Program Files\Common Files\wekadakiba.inf
2008-02-26 22:20 13,612 ----a-w C:\Documents and Settings\All Users\Application Data\cibiky.dll
2008-02-26 22:20 11,982 ----a-w C:\Program Files\Common Files\esicurox.db
2008-02-26 22:20 11,788 ----a-w C:\WINDOWS\tyqyxix.sys
2008-02-26 22:20 10,545 ----a-w C:\Program Files\Common Files\ezoroqowut.inf
2008-02-26 20:55 68,096 ----a-w C:\WINDOWS\trashicon.exe
2008-02-26 09:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-26 08:33 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-26 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-02-23 14:22 --------- d-----w C:\Program Files\NewSoft
2008-02-23 14:22 --------- d-----w C:\Program Files\EMUSB2.0
2008-02-23 14:22 --------- d-----w C:\Program Files\eMPIA
2008-02-23 14:22 --------- d-----w C:\Program Files\Common Files\newsoft
2008-02-23 14:14 --------- d-----w C:\Program Files\Mainconcept
2008-02-23 14:12 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-23 14:12 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\AVSMedia
2008-02-23 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-23 14:11 --------- d-----w C:\Program Files\AVSMedia
2008-02-17 17:10 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\Audacity
2008-02-17 17:00 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-13 14:55 --------- d-----w C:\Program Files\Mv2Player
2008-01-28 10:03 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\SecondLife
2008-01-26 22:04 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\Babylon
2008-01-25 21:45 46,288 ----a-w C:\Documents and Settings\ran simchas\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-16 22:18 --------- d-----w C:\Documents and Settings\ran simchas\Application Data\Apple Computer
2008-01-16 22:14 --------- d-----w C:\Program Files\QuickTime
2008-01-16 21:48 --------- d-----w C:\Program Files\iTunes
2008-01-16 20:40 --------- d-----w C:\Program Files\iPod
2008-01-16 20:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-16 20:39 --------- d-----w C:\Program Files\Apple Software Update
2008-01-16 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 17:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-15 20:33 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-13 22:45 --------- d-----w C:\Program Files\i2i Internet Solutions
2007-12-14 09:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 19:24 558,142 ----a-w C:\WINDOWS\java\Packages\A1JPBBBX.ZIP
2007-12-11 19:24 155,995 ----a-w C:\WINDOWS\java\Packages\YX39FR17.ZIP
2007-12-11 16:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:07 AM 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/17/2008 11:42 AM 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [12/11/2007 05:25 PM 100056]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [10/02/2007 12:18 PM 2165256]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/05/2007 07:59 AM 8491008]
"nwiz"="nwiz.exe" [10/05/2007 07:59 AM 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/05/2007 07:59 AM 81920]
"RTHDCPL"="RTHDCPL.EXE" [06/13/2007 08:49 AM 16377344 C:\WINDOWS\RTHDCPL.exe]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [03/31/2004 03:23 PM 823296]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 10:56 AM 286720]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [05/24/2006 05:39 PM 2655272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:07 AM 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
11g Wireless LAN Utility.lnk - C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe [2007-12-11 23:10:35 712704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
PVR Launcher.lnk - C:\Program Files\Mainconcept\PVR\PvrLauncher.exe [2008-02-23 16:14:02 69632]
UPnP AV Server.lnk - C:\Program Files\Mainconcept\PVR\mcavserv.exe [2008-02-23 16:14:01 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [05/13/2005 03:07 PM]
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [02/01/2005 05:30 PM]
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [02/01/2005 05:30 PM]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys [05/13/2005 03:07 PM]
R3 RTLWUSB;11g Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [07/04/2006 02:10 AM]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 XDva032;XDva032;C:\WINDOWS\system32\XDva032.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 20:30:34 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - ran simchas.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 19:48:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINDOWS\system32\nl_msgc.dll
.
Completion time: 03/06/2008 19:48:37
ComboFix-quarantined-files.txt 2008-03-06 17:48:35

___________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:43, on 06/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LevelOne\11g Wireless LAN\WLanUtility.exe
C:\Program Files\Mainconcept\PVR\PvrLauncher.exe
C:\Program Files\Mainconcept\PVR\mcavserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/remote.pac
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: 11g Wireless LAN Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PVR Launcher.lnk = ?
O4 - Global Startup: UPnP AV Server.lnk = C:\Program Files\Mainconcept\PVR\mcavserv.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1BB8531-18CA-407E-99E6-6DDCC293D840}: NameServer = 192.168.123.254
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7286 bytes
___________________________________________________


thank you

ransimch.
 
Status
Not open for further replies.
Back
Top