WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"cpu Usage" Jumping

Started by dsol , Apr 12 2007 11:50 AM

This topic is locked

10 replies to this topic

#1 dsol

New Member

New Member
5 posts

Posted 12 April 2007 - 11:50 AM

hey :-] i hade a torjan\virus today (ntos.exe) and removed it ( i used this http://forums.tomcoy...ugs_t72638.html ) a faw hour later my "CPU Usage" start jumping (see picture)

Posted Image

and it just wont stop !

what can i do ?

here is the HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:18 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40CC0D15-A0FB-4AA3-892C-5FEDAEA7879C}: NameServer = 192.115.106.35 62.219.186.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{40CC0D15-A0FB-4AA3-892C-5FEDAEA7879C}: NameServer = 192.115.106.35 62.219.186.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - Unknown owner - D:\Program Files\z2 Remote2PC\R2PCServ.exe" -service (file missing)

Advertisements

Register to Remove

#2 Rosty

SWI helper

Visiting Fellow
413 posts

Posted 12 April 2007 - 12:19 PM

Hi dsol,
welcome to TomCoyote forum.
My name is Rosty and I'm going to help you with your log.

I'm afraid that I have some bad news concerning your computer - you have become infected with Backdoor.Win32.Bifrose.aat and the W32/Zasran-D worm!
Here is a quick type description of this infection:

Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.

And a quick catogory description:

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

This allows hackers to remotely control your computer, steal critical system information, and download and execute files.It's stealing ones info, files, passwords, online accounts etc a breeze.
Aquick discription of the W32/Zasran-D worm:

W32/Zasran-D is a mass mailing worm with backdoor functionality for the Windows platform.

W32/Zasran-D runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

W32/Zasran-D is capable of spreading through email. Email sent by W32/Zasran-D has the following properties:

Subject line chosen from:
Ficke meine Brust!
Geld
Geld von Postbank
Geldueberweisungen
Gewonnen? GeWONNEN!
Guten Tag
Hallo!
Hier sind ihre WM Tickets!
Holen sie jetzt ihre WM Tickets ab!
Holen sie sich WM Tickets fuer das Finalle JETZT!
Ich bin dauergeill warum?
Ich hab die neuen Fotos Fertig!
Ich hab ihr Geld.
Ich habe Geld von ihren Postbank Konto bekommen
and much more!!!!!!!

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection is been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Regards,

Rosty.

Edited by Rosty, 12 April 2007 - 12:25 PM.
fixed a tag

Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

#3 dsol

New Member

New Member
5 posts

Posted 12 April 2007 - 12:51 PM

hey Rosty tnx for the fast reply :-] i have a home network (my pc and my sister pc) is it possible that i got infected by her from the home network ? or if it's some site\program i download... do i need to chack on her pc for something, to see if the other pc got infected to ? and i can format the 2 pc's... but only as last result, so i would like to clean it if possible and one more thing... i have partition on my hard drive, when i format... i most format all the partition ? or only the OS driver is ok ?

#4 Rosty

SWI helper

Visiting Fellow
413 posts

Posted 13 April 2007 - 07:44 AM

Hi dsol,

do i need to chack on her pc for something, to see if the other pc got infected to ?

yes, please do!!

i have partition on my hard drive, when i format... i most format all the partition ?

The only partition I see in your log is your C-drive, so you only should have to format your c-drive.

Lets clean this up.

Download and install AVG Anti-Spyware v7.5.

After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Do not use it yet.

Please open HijackThis, click do a scan only and place a check next to the following entries:

O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

Please close all other Windows and browsers,except HijackThis and click Fix Checked. Exit Hijackthis.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\mszsrn32.dll
C:\WINDOWS\system32\rpcc.dll

Now run ATF cleaner.
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now scan with AVG-Antipyware.
Scan with AVG Anti-Spyware as follows:

Click on the "Scanner" button and choose the "Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Click the "Scan" tab to return to scanning options.
Click "Complete System Scan" to start.
When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

Please post the log from AVG-AntiSpyware and a new HijackThis log in your next reply.

Regards,

Rosty.

Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

#5 dsol

New Member

New Member
5 posts

Posted 14 April 2007 - 04:04 AM

here :

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:55:14 PM 4/14/2007

+ Scan result:

C:\WINDOWS\Downloaded Program Files\launcher.ocx -> Adware.I2ISolutions : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{C9E254D2-4488-48A2-896B-6292C9C17000}\RP267\A0133210.exe -> Proxy.Horst.xs : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
:mozilla.400:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.401:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.66:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
E:\100\Administrator\Cookies\administrator@adrenaline[1].txt -> TrackingCookie.Adrenaline : Cleaned.
E:\100\dsol\Cookies\administrator@adrenaline[1].txt -> TrackingCookie.Adrenaline : Cleaned.
:mozilla.48:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.503:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Billboard : Cleaned.
:mozilla.51:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Castup : Cleaned.
E:\100\נאור\Cookies\נאור@counter.cnw[2].txt -> TrackingCookie.Cnw : Cleaned.
E:\RECYCLER\S-1-5-21-861567501-1035525444-839522115-1003\De1\נאור\Cookies\נאור@counter.cnw[2].txt -> TrackingCookie.Cnw : Cleaned.
:mozilla.346:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.49:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
E:\100\dsol\Cookies\dsol@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
E:\100\dsol\Cookies\dsol@charon.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
E:\100\dsol\Cookies\dsol@gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.695:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Gemius : Cleaned.
:mozilla.696:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Gemius : Cleaned.
E:\100\dsol\Cookies\dsol@hit.gemius[1].txt -> TrackingCookie.Gemius : Cleaned.
E:\100\נאור\Cookies\נאור@hit.gemius[2].txt -> TrackingCookie.Gemius : Cleaned.
E:\RECYCLER\S-1-5-21-861567501-1035525444-839522115-1003\De1\נאור\Cookies\נאור@hit.gemius[2].txt -> TrackingCookie.Gemius : Cleaned.
E:\100\dsol\Cookies\dsol@idot[1].txt -> TrackingCookie.Idot : Cleaned.
:mozilla.64:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.65:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.399:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.481:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.483:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.484:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.485:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
E:\100\dsol\Cookies\dsol@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
E:\100\לילך.DSOL-PC\Cookies\לילך@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
E:\100\נאור\Cookies\נאור@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
E:\RECYCLER\S-1-5-21-861567501-1035525444-839522115-1003\De1\לילך.DSOL-PC\Cookies\לילך@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
E:\RECYCLER\S-1-5-21-861567501-1035525444-839522115-1003\De1\נאור\Cookies\נאור@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
E:\100\dsol\Cookies\dsol@navrcholu[2].txt -> TrackingCookie.Navrcholu : Cleaned.
E:\100\נאור\Cookies\נאור@navrcholu[2].txt -> TrackingCookie.Navrcholu : Cleaned.
E:\RECYCLER\S-1-5-21-861567501-1035525444-839522115-1003\De1\נאור\Cookies\נאור@navrcholu[2].txt -> TrackingCookie.Navrcholu : Cleaned.
:mozilla.459:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.462:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.463:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.499:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.227:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
E:\100\dsol\Cookies\dsol@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.358:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Real : Cleaned.
:mozilla.359:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Real : Cleaned.
:mozilla.466:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Real : Cleaned.
:mozilla.433:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.434:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.376:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.698:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.350:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.352:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.340:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Toplist : Cleaned.
E:\100\dsol\Cookies\dsol@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
E:\100\נאור\Cookies\נאור@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
E:\RECYCLER\S-1-5-21-861567501-1035525444-839522115-1003\De1\נאור\Cookies\נאור@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
:mozilla.43:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Total-media : Cleaned.
:mozilla.604:C:\Documents and Settings\dsol\Application Data\Mozilla\Firefox\Profiles\p0ite306.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
E:\100\Administrator\Cookies\administrator@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
E:\100\dsol\Cookies\administrator@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
E:\100\dsol\Cookies\dsol@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 12:58:50 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{40CC0D15-A0FB-4AA3-892C-5FEDAEA7879C}: NameServer = 62.219.186.7 192.115.106.35
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - Unknown owner - D:\Program Files\z2 Remote2PC\R2PCServ.exe" -service (file missing)

my pc is clean ?

edit:

this is the log from my sister pc (you said i need to chack it)

Logfile of HijackThis v1.99.1
Scan saved at 1:32:10 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: ??÷? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\icq\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\icq\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

Edited by dsol, 14 April 2007 - 04:40 AM.

#6 Rosty

SWI helper

Visiting Fellow
413 posts

Posted 15 April 2007 - 02:03 AM

Hi dsol,

I have a question for you.
Do you know this:

BEZEQINT HOSTMASTERS TEAM
Bezeq International
40 hashacham st.
Petach Tikva 49170 Israel
+972 1 800014014
+972 3 9257674
hostmaster@bezeqint.net

Please let me know?

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) 6 Update 1 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Otherwise your PC looks clean.
How are things running?
Please post a new HijackThis log.

For you sisters PC.
Can you please do a scan with AVG-AntiSpyware. Use the instructions that I give you before.
Please post the log from AVG -AntiSpyware and a new HijackThios log.

Regards,

Rosty.

Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

#7 dsol

New Member

New Member
5 posts

Posted 15 April 2007 - 06:39 AM

1. yes i know what this is

BEZEQINT HOSTMASTERS TEAM
Bezeq International
40 hashacham st.
Petach Tikva 49170 Israel
+972 1 800014014
+972 3 9257674
hostmaster@bezeqint.net

this is my internet provider info

2. my pc is runing very good ! tnx !

and here is a frash hjt log for my pc:

Logfile of HijackThis v1.99.1
Scan saved at 3:30:23 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webteh\BSplayerPro\bsplayer.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40CC0D15-A0FB-4AA3-892C-5FEDAEA7879C}: NameServer = 192.115.106.35 62.219.186.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{40CC0D15-A0FB-4AA3-892C-5FEDAEA7879C}: NameServer = 192.115.106.35 62.219.186.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: z2 Remote2PC Server (z2 R2PC Server) - Unknown owner - D:\Program Files\z2 Remote2PC\R2PCServ.exe" -service (file missing)

3. log's from my sister pc: (her pc is very very very slow ! un the task mannager it's show that the "CPU Usage" is all the time on 98%-100% not less....)

hjt:

Logfile of HijackThis v1.99.1
Scan saved at 3:24:07 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: ??÷? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\icq\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\icq\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

avg:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:54:51 PM 4/15/2007

+ Scan result:

C:\Documents and Settings\dsol\Cookies\dsol@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@msnisrael.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@castup[1].txt -> TrackingCookie.Castup : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@castup[1].txt -> TrackingCookie.Castup : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@switch5.castup[2].txt -> TrackingCookie.Castup : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@hit.gemius[1].txt -> TrackingCookie.Gemius : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@hit.gemius[2].txt -> TrackingCookie.Gemius : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@counter12.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@counter15.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@counter16.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@counter3.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@a.total-media[1].txt -> TrackingCookie.Total-media : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@a.total-media[1].txt -> TrackingCookie.Total-media : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\dsol\Cookies\dsol@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned.
C:\Documents and Settings\לילך\Cookies\לילך@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{D0787A88-2A1E-42BC-BFCB-23FF340F11AC}\RP74\A0032874.dll -> Worm.Warezov.lz : Cleaned with backup (quarantined).

::Report end

#8 Rosty

SWI helper

Visiting Fellow
413 posts

Posted 15 April 2007 - 01:51 PM

Hi dsol,

Your log looks clean. :thumbup:

Do you have any problems?
Please let me know.

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide.

Now, for your sisters PC:

Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile and a new HijackThis log for me to see.

Regards,

Rosty.

Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

#9 dsol

New Member

New Member
5 posts

Posted 16 April 2007 - 01:57 AM

i "Disable and Enable System Restore" :-]

and herer is the logs for my sister

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\icq\ICQLiteShell.dll" [empty string]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\icq\ICQLiteShell.dll" [empty string]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\icq\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "&Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&****" (unwritable string)
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "מחקר"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\icq\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 77 seconds.
---------- (total run time: 168 seconds)

Logfile of HijackThis v1.99.1
Scan saved at 10:49:40 AM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.parpar.org.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: ??÷? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\icq\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\icq\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

#10 Rosty

SWI helper

Visiting Fellow
413 posts

Posted 16 April 2007 - 08:40 AM

Hi dsol,

I don't see any malware present in your sisters log. But lets be sure:

You should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web and a new HijackThis log in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Regards,

Rosty.

Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

#11 Rosty

SWI helper

Visiting Fellow
413 posts

Posted 07 May 2007 - 03:48 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

Body Background

skin color theme