Hijackthis log at my work internet terminal

hibob · 07-09-2006, 12:30 PM

This computer is so ****** up, I don't even know where to begin...

here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 20:54:10, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\htryosh\LOCALS~1\Temp\Rar$EX02.047\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com/
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\fp4o03h3e.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Vikesrock8411 · 07-10-2006, 03:53 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please follow these instructions to redownload Hijackthis and install it to a permanent folder:

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Downloads(make sure to save these in a permanent location)
combofix.exe-Save it to your Desktop, we will need this later.
smitRem.exe - Run it and extract it to it's own folder on the Desktop.

Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Windows\System32\doser.exe
C:\Windows\System32\ssldr32.dll
htproc.dll<<<Find via Start>Search

Tools
Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Reboot your system in Normal Mode.

Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

Smitrem.txt
Ewido Log
Combofix Log
Panda Activescan Log
A new Hijackthis! Log

hibob · 07-16-2006, 11:59 AM

First of all, the new Hijackthis! log:

Logfile of HijackThis v1.99.1
Scan saved at 11:47:29, on 16/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 6.01
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com/
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\fp4o03h3e.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

*******************************************************

Now the Ewido log.
I tried to run Ewido in safe mode a few times and it wouldn't run, so I had to reboot in regular mode to run it.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:02:23 16/07/2006

+ Scan result:

C:\WINNT\system32\CYUTIL_S.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\VMAME.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\acptif.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\dcfolder.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\dnn4015qe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\fn4021hmg.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\fp4403hqe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\gpl4l33q1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\ijm32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\izign32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\kfdfc.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\kjddv.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\mvp2l97o1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\n2r2lc9o1f.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\n6n6lg5s16.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\o4role931h.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\obedlg.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\ovfox32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\strrun.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\uul.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\wwnsmon.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1276] C:\WINNT\system32\dcfolder.dll -> Adware.Look2Me : Error during cleaning.
[868] C:\WINNT\system32\guard.tmp -> Adware.Look2Me : Error during cleaning.
C:\Documents and Settings\Administrator\Local Settings\Temp\GLB8E.tmp/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINNT\system32\explorer.exe -> Backdoor.Agent.tw : Cleaned with backup (quarantined).
C:\WINNT\system32\mskbd.dll -> Backdoor.Agent.tw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\81.tmp -> Downloader.Small.cgy : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@msnisrael.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@creative.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[5].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[6].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[8].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\dk.dial -> Trojan.Dialer.ay : Cleaned with backup (quarantined).
C:\WINNT\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup (quarantined).
C:\WINNT\system32\paradise.raw.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

********************************************************

Next comes smitRem, which I accidentally ran twice, so here's the second log since it overwrote the first one...

smitRem © log file
version 3.1

by noahdfear

Microsoft Windows 2000 [Version 5.00.2195]
"IE"="6.0000"
The current date is: Sun 07/16/2006
The current time is: 19:01:03.76

Running from
C:\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

checking for drsmartload2 key

drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Trust Cleaner Fix © by noahdfear

Starting Trust Cleaner uninstaller

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 384 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

********************************************************

I didn't find the Desktop tab in the display settings window. I think it's because I have windows 200 and not XP. (This is my work terminal)

now, combofix:

Start Time= Sun 07/16/2006 19:11:00.48
Running from: C:\Documents and Settings\htryosh\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}]
@=""

[HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINNT\SYSTEM32\hrj0051me.dll

Granting sedebugprivilege to Administrators ... successful

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-16 13:47:14 ( AD... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-16 11:46:36 ( .D... ) "C:\Program Files\Hijackthis"
2006-01-05 11:57:12 21952 ( ...H. ) "C:\Program Files\folder.htt"
2006-01-05 11:57:12 271 ( ...H. ) "C:\Program Files\desktop.ini"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,b0,00,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Contents of the 'Scheduled Tasks' folder

Completion time: Sun 07/16/2006 19:15:58.56
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

********************************************************

next comes panda:

Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@adopt.hbmediapro[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@dist.belnk[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@errorsafe[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@go[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@rn11[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@searchportal.information[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\htryosh\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem\Process.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINNT\uniq
********************************************************

Last but not least is a second Hijackthis! log after completing all the steps:

Logfile of HijackThis v1.99.1
Scan saved at 20:31:53, on 16/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by6.01
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

*********************************************************

Thanks!!

Vikesrock8411 · 07-16-2006, 06:16 PM

Go to Start > Run
Type:

regedit

Click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
- Make sure in that window there is a tick next to "All" under Export Branch.
  Leave the "Save As Type" as "Registration Files".
  Under "Filename" put backup
Choose to save it to C:\
Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Open Notepad and copy and paste everything from the box below.

Code:

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=-

Click on File, Save it to your desktop, in file name save as
internat.reg
click OK.

Next go to your desktop and double click on internat.reg, allow it to merge to the registry. It should give you a prompt "sucessfully merged".

Delete this folder:
C:\WINNT\uniq

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
Please remember to close all other windows, including browsers then click Fix checked.

Post a new HIjackthis log and let me know of any remaining issues with the system.

hibob · 07-16-2006, 11:38 PM

Here we are, the last HJT log. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 08:09:50, on 17/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by דפדפן צה"לנט גירסה 6.01
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.znet.idf/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Vikesrock8411 · 07-16-2006, 11:46 PM

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

hibob · 09-16-2006, 05:55 PM

Everything looks fine so-far.
Thanks.

07-09-2006, 12:30 PM	#1 (permalink)
hibob Registered User Join Date: Jan 2005 Location: Israel Posts: 34 OS: WinXP	Hijackthis log at my work internet terminal This computer is so ****** up, I don't even know where to begin... here's the log: Logfile of HijackThis v1.99.1 Scan saved at 20:54:10, on 09/07/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\system32\MsgSys.EXE C:\WINNT\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\htryosh\LOCALS~1\Temp\Rar$EX02.047\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.google.com/ O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: htproc - htproc32.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing) O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\fp4o03h3e.dll O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file) O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe Last edited by hibob; 07-09-2006 at 12:34 PM.

07-10-2006, 03:53 PM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please follow these instructions to redownload Hijackthis and install it to a permanent folder: * Click here to download HJTsetup.exe Save HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue. Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there. At the final dialogue box click Finish and it will launch Hijack This. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Come back here to this thread and Paste the log in your next reply. DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Downloads(make sure to save these in a permanent location) combofix.exe-Save it to your Desktop, we will need this later. smitRem.exe - Run it and extract it to it's own folder on the Desktop. Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O20 - Winlogon Notify: htproc - htproc32.dll (file missing) O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing) O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file) Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Windows\System32\doser.exe C:\Windows\System32\ssldr32.dll htproc.dll<<<Find via Start>Search Tools Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. Reboot your system in Normal Mode. Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: Smitrem.txt Ewido Log Combofix Log Panda Activescan Log A new Hijackthis! Log __________________

07-16-2006, 11:59 AM	#3 (permalink)
hibob Registered User Join Date: Jan 2005 Location: Israel Posts: 34 OS: WinXP	Oh, the many many logs... First of all, the new Hijackthis! log: Logfile of HijackThis v1.99.1 Scan saved at 11:47:29, on 16/07/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\MsgSys.EXE C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 6.01 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.google.com/ O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: htproc - htproc32.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing) O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\fp4o03h3e.dll O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file) O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe ***************************************************** Now the Ewido log. I tried to run Ewido in safe mode a few times and it wouldn't run, so I had to reboot in regular mode to run it. --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 15:02:23 16/07/2006 + Scan result: C:\WINNT\system32\CYUTIL_S.DLL -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\VMAME.DLL -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\acptif.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\dcfolder.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\dnn4015qe.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\fn4021hmg.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\fp4403hqe.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\gpl4l33q1.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\ijm32.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\izign32.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\kfdfc.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\kjddv.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\mvp2l97o1.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\n2r2lc9o1f.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\n6n6lg5s16.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\o4role931h.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\obedlg.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\ovfox32.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\strrun.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\uul.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\system32\wwnsmon.dll -> Adware.Look2Me : Cleaned with backup (quarantined). [1276] C:\WINNT\system32\dcfolder.dll -> Adware.Look2Me : Error during cleaning. [868] C:\WINNT\system32\guard.tmp -> Adware.Look2Me : Error during cleaning. C:\Documents and Settings\Administrator\Local Settings\Temp\GLB8E.tmp/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined). C:\WINNT\system32\explorer.exe -> Backdoor.Agent.tw : Cleaned with backup (quarantined). C:\WINNT\system32\mskbd.dll -> Backdoor.Agent.tw : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\81.tmp -> Downloader.Small.cgy : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@msnisrael.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@creative.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[5].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[6].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\htryosh\Cookies\htryosh@ad.yieldmanager[8].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Local Settings\Temp\dk.dial -> Trojan.Dialer.ay : Cleaned with backup (quarantined). C:\WINNT\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup (quarantined). C:\WINNT\system32\paradise.raw.exe -> Trojan.Small : Cleaned with backup (quarantined). ::Report end **************************************************** Next comes smitRem, which I accidentally ran twice, so here's the second log since it overwrote the first one... smitRem © log file version 3.1 by noahdfear Microsoft Windows 2000 [Version 5.00.2195] "IE"="6.0000" The current date is: Sun 07/16/2006 The current time is: 19:01:03.76 Running from C:\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! checking for drsmartload2 key drsmartload2 key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present AlfaCleaner uninstaller NOT present SpyFalcon uninstaller NOT present SpywareQuake uninstaller NOT present SpywareSheriff uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trust Cleaner Fix © by noahdfear Starting Trust Cleaner uninstaller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 384 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) ****************************************************** I didn't find the Desktop tab in the display settings window. I think it's because I have windows 200 and not XP. (This is my work terminal) now, combofix: Start Time= Sun 07/16/2006 19:11:00.48 Running from: C:\Documents and Settings\htryosh\Desktop ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}] @="" [HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\clsid\{7B5CDDD6-A0BF-4572-BCD5-96CCD006FD5B}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINNT\SYSTEM32\hrj0051me.dll Granting sedebugprivilege to Administrators ... successful (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-16 13:47:14 ( AD... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-16 11:46:36 ( .D... ) "C:\Program Files\Hijackthis" 2006-01-05 11:57:12 21952 ( ...H. ) "C:\Program Files\folder.htt" 2006-01-05 11:57:12 271 ( ...H. ) "C:\Program Files\desktop.ini" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "vptray"="C:\\Program Files\\NavNT\\vptray.exe" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex] "flags"=dword:00000008 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000000 "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,b0,00,00,00,1f,00,00,00,80,00,00,00,76,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"="internat.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"="" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: Sun 07/16/2006 19:15:58.56 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ****************************************************** next comes panda: Incident Status Location Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@adopt.hbmediapro[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@atwola[2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@azjmp[2].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@banner[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@belnk[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@dist.belnk[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@errorsafe[2].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@go[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@rn11[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@searchportal.information[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\htryosh\Cookies\htryosh@xiti[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\htryosh\Desktop\smitRem.exe[smitRem/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem\Process.exe Adware:adware/cws.searchmeup Not disinfected C:\WINNT\uniq **************************************************** Last but not least is a second Hijackthis! log after completing all the steps: Logfile of HijackThis v1.99.1 Scan saved at 20:31:53, on 16/07/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\MsgSys.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by6.01 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.google.com/ O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe ***************************************************** Thanks!!**

07-16-2006, 06:16 PM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Go to Start > Run Type: regedit Click OK. On the leftside, click to highlight My Computer at the top. Go up to "File > Export" Make sure in that window there is a tick next to "All" under Export Branch. Leave the "Save As Type" as "Registration Files". Under "Filename" put backup Choose to save it to C:\ Click save and then go to File > Exit. This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done. Open Notepad and copy and paste everything from the box below. Code: REGEDIT4 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"=- Click on File, Save it to your desktop, in file name save as internat.reg click OK. Next go to your desktop and double click on internat.reg, allow it to merge to the registry. It should give you a prompt "sucessfully merged". Delete this folder: C:\WINNT\uniq HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html Please remember to close all other windows, including browsers then click Fix checked. Post a new HIjackthis log and let me know of any remaining issues with the system. __________________

07-16-2006, 11:38 PM	#5 (permalink)
hibob Registered User Join Date: Jan 2005 Location: Israel Posts: 34 OS: WinXP	Final log... Here we are, the last HJT log. Thanks! Logfile of HijackThis v1.99.1 Scan saved at 08:09:50, on 17/07/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINNT\system32\MsgSys.EXE C:\WINNT\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by דפדפן צה"לנט גירסה 6.01 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.znet.idf/ O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

07-16-2006, 11:46 PM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Sunbelt Kerio Personal Firewall Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. __________________

09-16-2006, 05:55 PM	#7 (permalink)
hibob Registered User Join Date: Jan 2005 Location: Israel Posts: 34 OS: WinXP	Everything looks fine so-far. Thanks.