Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

HELP! svchost.exe making lot of smtp, http and https connections

This is a discussion on HELP! svchost.exe making lot of smtp, http and https connections within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi! I've tried to solve this problem, I've tried many antiviruses, trojan finders etc. Nothing helps. svchost -k rpcss opening


 
 
Thread Tools Search this Thread
Old 04-01-2008, 12:53 AM   #1
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Hi!

I've tried to solve this problem, I've tried many antiviruses, trojan finders etc. Nothing helps. svchost -k rpcss opening bunches of http, smtp and https connections to hundreds of servers. I'll appreciate any help with it. Please find below my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:25, on 01.04.2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
G:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Punto Switcher\ps.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Weather Alarm Clock\WeatherAlarmClock.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\GetRight\getright.exe
C:\Palm\Hotsync.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Flextronics Israel Ltd.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mignt025:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.flextronics.com;10.229.*;10.10.10.2;10.10.10.21;192.168.253.83;135.64.105.35;192.114.150.25;192.168.253.13;192.168.253.209;192.168.253.223;152.135.170.7;152.135.176.36;https://edmzsrv.ecitele.com:8415;https://metaweb.ecitele.com;https://university.flextronics.com;https://metaweb.ecitele.com;https://metaweb.ecitele.com:9444/envlp/controller/home;https://sslvpn.gilat.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\ps.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [zRain] C:\Program Files\Weather Alarm Clock\zRain.exe
O4 - HKCU\..\Run: [WeatherAlarmClock] C:\Program Files\Weather Alarm Clock\WeatherAlarmClock.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O8 - Extra context menu item: &Translate - https://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Ubersetzen - https://lingvo.yandex.ru/ie5trans1.htm
O8 - Extra context menu item: Download using Download &Express - file://C:\WINNT\system32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: T&raduire - https://lingvo.yandex.ru/ie5trans2.htm
O8 - Extra context menu item: Traduc&ir - https://lingvo.yandex.ru/ie5trans4.htm
O8 - Extra context menu item: Tradurr&e - https://lingvo.yandex.ru/ie5trans3.htm
O8 - Extra context menu item: Yandex &Search - https://lingvo.yandex.ru/ie5search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www01.bezeq.co.il/BezeqBill/...nt/CfxIEAx.cab
O16 - DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} (TeleControl Class) - https://10.229.8.53/CommandCenterWeb/...1&ccsessionid=
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - https://10.229.9.118/activex/decoder/mpeg4_dec.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1201097963218
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - https://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{977FA0B2-C156-4C6D-AA9B-114422DB5335}: NameServer = 10.229.8.23,10.229.8.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O20 - Winlogon Notify: console32 - C:\WINNT\SYSTEM32\console32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - G:\Program Files\Pointdev\IDEAL Administration\IACtrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: NetOp Helper ver. 9.00 (2007250) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINNT\Pointdev\VNC\WinVNC.exe

--
End of file - 10128 bytes
Aspid is offline  
Sponsored Links
Advertisement
 
Old 04-01-2008, 10:09 PM   #2
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Any ideas? Suggestions? I can't find nothing.
Aspid is offline  
Old 04-02-2008, 09:21 PM   #3
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Please, if you have time - take a look at it. 10x
Aspid is offline  
Sponsored Links
Advertisement
 
Old 04-03-2008, 10:55 PM   #4
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Anybody has such problems or it is something unique?
Aspid is offline  
Old 04-04-2008, 06:06 PM   #5
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINNT\SYSTEM32\console32.dll

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

Also, please do not wrap logs in code tag, it makes them more difficult to read.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 04-06-2008, 01:51 AM   #6
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Here it:

main.txt
Deckard's System Scanner v20071014.68
Run by admin_migstoma on 2008-04-06 09:36:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.01 GiB (less than 15%) free.


-- HijackThis (run as admin_migstoma.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:44, on 06.04.2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
G:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Punto Switcher\ps.exe
C:\WINNT\system32\ctfmon.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\admin_migstoma\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin_migstoma.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Flextronics Israel Ltd.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mignt025:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.flextronics.com;10.229.*;10.10.10.2;10.10.10.21;192.168.253.83;135.64.105.35;192.114.150.25;192.168.253.13;192.168.253.209;192.168.253.223;152.135.170.7;152.135.176.36;https://edmzsrv.ecitele.com:8415;https://metaweb.ecitele.com;https://university.flextronics.com;https://metaweb.ecitele.com;https://metaweb.ecitele.com:9444/envlp/controller/home;https://sslvpn.gilat.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\ps.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [zRain] C:\Program Files\Weather Alarm Clock\zRain.exe
O4 - HKCU\..\Run: [WeatherAlarmClock] C:\Program Files\Weather Alarm Clock\WeatherAlarmClock.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O8 - Extra context menu item: &Translate - https://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Ubersetzen - https://lingvo.yandex.ru/ie5trans1.htm
O8 - Extra context menu item: Download using Download &Express - file://C:\WINNT\system32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: T&raduire - https://lingvo.yandex.ru/ie5trans2.htm
O8 - Extra context menu item: Traduc&ir - https://lingvo.yandex.ru/ie5trans4.htm
O8 - Extra context menu item: Tradurr&e - https://lingvo.yandex.ru/ie5trans3.htm
O8 - Extra context menu item: Yandex &Search - https://lingvo.yandex.ru/ie5search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www01.bezeq.co.il/BezeqBill/...nt/CfxIEAx.cab
O16 - DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} (TeleControl Class) - https://10.229.8.53/CommandCenterWeb/...1&ccsessionid=
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - https://10.229.9.118/activex/decoder/mpeg4_dec.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1201097963218
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - https://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{977FA0B2-C156-4C6D-AA9B-114422DB5335}: NameServer = 10.229.8.23,10.229.8.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O20 - Winlogon Notify: console32 - C:\WINNT\SYSTEM32\console32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - G:\Program Files\Pointdev\IDEAL Administration\IACtrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: NetOp Helper ver. 9.00 (2007250) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINNT\Pointdev\VNC\WinVNC.exe

--
End of file - 9936 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080326-120945-361 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.couldnotfind.com/search_p...ount_id=138770
backup-20080326-120945-444 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.couldnotfind.com/search_p...ount_id=138770
backup-20080326-120959-927 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.couldnotfind.com/search_p...ount_id=138770
backup-20080326-121104-392 R3 - Default URLSearchHook is missing
backup-20080326-122050-102 O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 10\vrie.dll (file missing)
backup-20080326-122050-119 O4 - HKCU\..\Run: [hldrrr] C:\WINNT\system32\hldrrr.exe
backup-20080326-122050-188 O4 - HKLM\..\Run: [hldrrr] C:\WINNT\system32\hldrrr.exe
backup-20080326-122050-322 O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mignt009/TSWeb/msrdp.cab
backup-20080326-122050-373 O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
backup-20080326-122050-395 O4 - HKCU\..\Run: [SolarWinds Toolbar] G:\Program Files\SolarWinds\Engineers Edition\SolarWinds-Toolbar.exe
backup-20080326-122050-430 O4 - HKLM\..\Run: [gekemgl] c:\winnt\system32\gekemgl.exe
backup-20080326-122050-433 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20080326-122050-448 O4 - HKCU\..\Run: [TLH_PTFBPro] "C:\Program Files\Technology Lighthouse\PTFB Pro\Launcher.exe"
backup-20080326-122050-565 O4 - HKLM\..\Run: [CookiePatrol] I:\PROGRA~1\PESTPA~1\CookiePatrol.exe
backup-20080326-122050-592 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - https://imgfarm.com/images/nocache/fu...tup1.0.0.8.cab
backup-20080326-122050-617 O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 10\vrie.dll (file missing)
backup-20080326-122050-650 O16 - DPF: {09D6F55E-F235-4102-9C60-1D09CFD9FAFF} (launch Class) - https://10.229.9.52/vpclient4102.cab
backup-20080326-122050-670 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080326-122050-697 O4 - HKLM\..\Run: [PPMemCheck] I:\PROGRA~1\PESTPA~1\PPMemCheck.exe
backup-20080326-122050-824 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20080326-122050-878 O4 - HKCU\..\Run: [Advanced Task Scheduler] "C:\Program Files\Advanced Task Scheduler\advscheduler.exe" noshow
backup-20080326-122050-896 O4 - HKLM\..\Run: [PestPatrol Control Center] I:\PROGRA~1\PESTPA~1\PPControl.exe
backup-20080326-122050-925 O4 - HKCU\..\Run: [TweakRAM] C:\Program Files\TweakRAM\TweakRAM.exe
backup-20080326-122052-169 O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - https://62.90.159.251:7888/activex/AMC.cab
backup-20080326-122052-458 O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ssl.bynet.co.il/dana-cached/...erSetupSP1.cab
backup-20080326-122052-494 O23 - Service: .NETSecurity - Unknown owner - C:\WINNT\system32\netsecurity.exe
backup-20080326-122052-533 O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
backup-20080326-122052-608 O23 - Service: NTBOOTMGR (NTBOOT) - NetGroup - Politecnico di Torino - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NHostNT1 (NetOp Driver 1 ver. 9.00 (2007250)) - c:\winnt\system32\drivers\nhostnt1.sys <Not Verified; Danware Data A/S; NetOp Technologies>
R1 OMCI - c:\winnt\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 hardlock - c:\winnt\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\winnt\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 NPF (NetGroup Packet Filter Driver) - c:\winnt\system32\drivers\npf.sys <Not Verified; NetGroup - Politecnico di Torino; WinPcap Netgroup Packet Filter Driver>
R3 G400 - c:\winnt\system32\drivers\g400m.sys <Not Verified; Matrox Graphics Inc.; Matrox G400 Miniport Driver>
R3 NHOSTNT3 (NetOp Driver 3 ver. 9.00 (2007250) (NHOSTNT3)) - c:\winnt\system32\drivers\nhostnt3.sys <Not Verified; Danware Data A/S; NetOp Technologies>
R3 pfc (Padus ASPI Shell) - c:\winnt\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 ATE_PROCMON - c:\program files\anti trojan elite\atepmon.sys (file missing)
S3 catchme - c:\docume~1\stas-a~1\locals~1\temp\catchme.sys (file missing)
S3 Hl_mull - c:\winnt\system32\drivers\hl_mull.sys
S3 mgabg - c:\winnt\system32\drivers\mgabg.sys <Not Verified; Matrox Graphics Inc.; Matrox Graphics Inc. MgaBG>
S3 RET45 (RET45 Protocol Driver) - f:\program files\retina\modules\retina\scanner\ret45.sys <Not Verified; eEye Digital Security; eEye Digital Security: Retina>
S3 UtilNT - c:\winnt\system32\drivers\utilnt.sys <Not Verified; Matrox Graphics Inc.; Matrox Graphics Inc. UtilNt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MGABGEXE - c:\winnt\system32\mgabg.exe <Not Verified; Matrox Graphics Inc.; Matrox Graphics Inc. MGABG>
R2 NetOp Host for NT Service (NetOp Helper ver. 9.00 (2007250)) - "c:\program files\danware data\netop remote control\host\nhostsvc.exe" <Not Verified; Danware Data A/S; NetOp Technologies>

S3 IACtrl (IA Analysing v2.0) - "g:\program files\pointdev\ideal administration\iactrl.exe"
S3 winvnc (VNC Server) - "c:\winnt\pointdev\vnc\winvnc.exe" -service <Not Verified; Constantin Kaplinsky; TightVNC Win32 Server>
S4 .NETSecurity - c:\winnt\system32\netsecurity.exe (file missing)
S4 FlexInvSvc (Flextronics Inventory Service) - "c:\program files\flextronics int\flexinvsvc\flexinvservice.exe" <Not Verified; Flextronics Int; FlextronicsInvService>
S4 NTBOOT (NTBOOTMGR) -
S4 PestPatrol Remote - "c:\program files\common files\pestpatrol\ppremoteservice.exe" <Not Verified; Computer Associates International, Inc.; eTrust PestPatrol Anti-Spyware Corporate Edition>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_2443&SUBSYS_010D1028&REV_04\3&172E68DD&0&FB
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_2443&SUBSYS_010D1028&REV_04\3&172E68DD&0&FB
Service:


-- Scheduled Tasks -------------------------------------------------------------

2005-12-25 15:50:23 182 --a------ C:\WINNT\Tasks\dirr.job


-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-01 10:47:41 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_33c.dat
2008-04-01 10:27:39 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_318.dat
2008-03-31 22:50:45 0 d------c- C:\Documents and Settings\stas-aspid\Application Data\Adobe
2008-03-31 22:45:46 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_340.dat
2008-03-31 17:17:20 0 d-------- C:\SAV32CLI
2008-03-31 17:12:29 1415411 --a------ C:\SDFix.exe
2008-03-31 17:08:03 3216 --a----c- C:\WINNT\system32\drivers\NHOSTNT3.SYS <Not Verified; Danware Data A/S; NetOp Technologies>
2008-03-31 17:08:02 2480 --a----c- C:\WINNT\system32\NHOSTNT4.DLL <Not Verified; Danware Data A/S; NetOp Technologies>
2008-03-31 17:08:02 92432 --a----c- C:\WINNT\system32\drivers\NHOSTNT1.SYS <Not Verified; Danware Data A/S; NetOp Technologies>
2008-03-31 16:35:52 0 d------c- C:\Program Files\Anti Trojan Elite
2008-03-31 15:13:29 0 d------c- C:\Program Files\ProcessMonitor
2008-03-31 15:13:24 0 d------c- C:\Program Files\ProcessExplorer
2008-03-31 15:04:03 0 d------c- C:\Documents and Settings\stas-aspid\Application Data\Prevx
2008-03-31 15:04:02 0 d------c- C:\Documents and Settings\stas-aspid\Application Data\HotSync
2008-03-31 14:38:07 0 d-------- C:\WINNT\ERUNT
2008-03-28 10:03:49 0 d------c- C:\Documents and Settings\All Users.WINNT\Application Data\fssg
2008-03-28 01:09:50 0 d-------- C:\fsaua.data
2008-03-28 01:02:02 0 d------c- C:\WINNT\system32\Kaspersky Lab
2008-03-27 16:54:11 0 d------c- C:\Program Files\a-squared Anti-Malware
2008-03-27 16:50:07 0 d------c- C:\Program Files\Mamutu
2008-03-26 17:02:35 0 d-a----c- C:\Documents and Settings\All Users.WINNT\Application Data\Prevx
2008-03-26 14:26:07 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_388.dat
2008-03-26 12:57:22 0 d------c- C:\Program Files\Trend Micro
2008-03-26 12:21:39 221184 --a----c- C:\WINNT\system32\wpcap.dll <Not Verified; NetGroup - Politecnico di Torino; WinPcap high level library>
2008-03-26 12:21:39 61440 --a----c- C:\WINNT\system32\wanpacket.dll <Not Verified; NetGroup - Politecnico di Torino; WinPcap low level NetMon wrapper library>
2008-03-26 12:21:39 53299 --a----c- C:\WINNT\system32\pthreadVC.dll
2008-03-26 12:21:39 81920 --a----c- C:\WINNT\system32\packet.dll <Not Verified; NetGroup - Politecnico di Torino; WinPcap low level packet library>
2008-03-26 12:21:39 32000 --a----c- C:\WINNT\system32\drivers\npf.sys <Not Verified; NetGroup - Politecnico di Torino; WinPcap Netgroup Packet Filter Driver>
2008-03-26 12:21:38 0 d------c- C:\Program Files\Network Chemistry
2008-03-26 12:21:38 0 d------c- C:\Documents and Settings\admin_migstoma\Application Data\Ethereal
2008-03-25 22:09:04 0 d-a----c- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2008-03-25 22:07:51 162304 --a----c- C:\WINNT\system32\ztvunrar36.dll
2008-03-25 22:07:51 77312 --a----c- C:\WINNT\system32\ztvunace26.dll
2008-03-25 22:07:51 69632 --a----c- C:\WINNT\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-03-25 22:07:50 153088 --a----c- C:\WINNT\system32\UNRAR3.dll
2008-03-25 22:07:46 0 d------c- C:\Program Files\Trojan Remover
2008-03-25 22:07:46 0 d-a----c- C:\Documents and Settings\All Users.WINNT\Application Data\Simply Super Software
2008-03-25 22:07:46 0 d------c- C:\Documents and Settings\admin_migstoma\Application Data\Simply Super Software
2008-03-25 21:00:35 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_6f0.dat
2008-03-24 17:15:32 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_390.dat
2008-03-10 11:33:30 0 d------c- C:\Documents and Settings\All Users.WINNT\Application Data\GlobalSCAPE
2008-03-10 11:26:06 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_39c.dat
2008-03-09 09:39:04 0 d------c- C:\Documents and Settings\migw2k\SecurityScans
2008-03-09 08:59:50 0 d------c- C:\Documents and Settings\admin_migstoma\SecurityScans
2008-03-09 08:57:16 0 d------c- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-03-07 22:21:47 0 d------c- C:\Program Files\Windows Installer Clean Up
2008-03-07 22:21:28 0 d------c- C:\Program Files\MSECACHE


-- Find3M Report ---------------------------------------------------------------

2008-04-01 10:53:51 0 d-a----c- C:\Program Files\GetRight
2008-03-31 22:36:42 0 d------c- C:\Documents and Settings\admin_migstoma\Application Data\Azureus
2008-03-31 20:12:09 0 d------c- C:\Program Files\Weather Alarm Clock
2008-03-31 16:34:59 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-03-31 16:34:59 0 d-a----c- C:\Program Files\GlobalSCAPE
2008-03-27 07:02:03 0 d------c- C:\Documents and Settings\admin_migstoma\Application Data\Adobe
2008-03-24 17:07:10 1201226 ---h----- C:\WINNT\ShellIconCache
2008-02-19 15:19:12 0 d-a----c- C:\Program Files\Xlight
2008-02-14 15:49:17 0 d------c- C:\Documents and Settings\admin_migstoma\Application Data\AdobeUM
2008-02-03 16:17:26 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_35c.dat
2008-01-23 17:32:48 16384 --a----ct C:\WINNT\system32\Perflib_Perfdata_3dc.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [20.06.03 15:00 C:\WINNT\system32\mobsync.exe]
"Matrox Powerdesk"="C:\WINNT\system32\PDesk.exe" [04.02.00 16:47 ]
"POINTER"="point32.exe" []
"FinePrint Dispatcher v4"="C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe" [15.03.00 22:16 ]
"FinePrint Dispatcher v5"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [11.02.04 22:22 ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09.06.04 20:31 ]
"vptray"="G:\PROGRA~1\SYMANT~1\VPTray.exe" [06.10.04 17:56 ]
"Babylon Client"="C:\Program Files\Babylon\Babylon.exe" [23.10.05 16:02 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [10.11.05 14:03 ]
"pdfFactory Pro Dispatcher v3"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [08.12.06 23:22 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09.07.01 11:50 ]
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [14.06.05 11:05 ]
"Punto Switcher"="C:\Program Files\Punto Switcher\ps.exe" [13.11.04 23:18 ]
"ctfmon.exe"="ctfmon.exe" [05.02.01 11:03 C:\WINNT\system32\CTFMON.EXE]
"zRain"="C:\Program Files\Weather Alarm Clock\zRain.exe" []
"WeatherAlarmClock"="C:\Program Files\Weather Alarm Clock\WeatherAlarmClock.exe" [13.11.07 03:38 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [24.10.2003 7:37:56]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [06.12.2000 17:02:52]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [09.06.2004 15:16:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\console32]
console32.dll 06.08.04 09:53 8704 C:\WINNT\system32\console32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-04-06 09:43:25 ------------

Result from www.virustotal.com

File console32.dll received on 04.06.2008 08:52:10 (CET)

Result: 7/32 (21.88%)

Antivirus Version Last Update Result
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.05 TR/Hijacker.Gen
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.06 Win32:Small-IKB
AVG 7.5.0.516 2008.04.05 Downloader.Small.60.AO
BitDefender 7.2 2008.04.06 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.06 -
DrWeb 4.44.0.09170 2008.04.05 -
eSafe 7.0.15.0 2008.04.01 -
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.05 -
F-Prot 4.4.2.54 2008.04.05 -
F-Secure 6.70.13260.0 2008.04.06 -
FileAdvisor 1 2008.04.06 -
Fortinet 3.14.0.0 2008.04.06 -
Ikarus T3.1.1.20 2008.04.06 Virus.Win32.Small.IKB
Kaspersky 7.0.0.125 2008.04.06 -
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.06 VirTool:Win32/Obfuscator.L
NOD32v2 3005 2008.04.06 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.05 -
Prevx1 V2 2008.04.06 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.06 Sus/Behav-1021
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.06 -
TheHacker 6.2.92.266 2008.04.05 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.05 -
Webwasher-Gateway 6.6.2 2008.04.05 Trojan.Hijacker.Gen
Additional information
File size: 8704 bytes
MD5...: c4261b168b83d828fccc6de2cdd68494
SHA1..: 99cdee3326fa6d26e5a2ac09752ee3a3df7da9bb
SHA256: a16ca8db158971966feb05c1b70c0d09c9e641f3164f5ff9625790309903f8a7
SHA512: 6e75bb55a2223ecc1d27f7218f509b7747a122da1a82c48319aaa18e3ea65d19
e7aa2640aedaea7ffe813ba9a15d42d89d68dff0f5a08ba85dca97794ec6abc8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10008450
timedatestamp.....: 0x4730d177 (Tue Nov 06 20:41:27 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x7000 0x2000 0x1800 7.56 bd8221e462b5627ef32f9e5e7b9b6727
.rsrc 0x9000 0x1000 0x600 2.79 dde5cbee66f9b17908e3d0823fb7c06d

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree

( 1 exports )
anaq

packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Attached Files
File Type: txt extra.txt (19.5 KB, 43 views)
Aspid is offline  
Old 04-06-2008, 07:58 AM   #7
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



I feel I should point this out before we begin removal procedures.

The partitioning on your hdd is in need of attention. Your %systemdrive% has less than the optimal amount of free space, which causes Windows to work harder than it needs to. You may want to consider merging one of the several 2GB partitions you have with your C drive.

===============================

Please visit this webpage for instructions for downloading and running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

Windows 2000 users will need to install the Recovery Console from their installation CD

https://support.microsoft.com/kb/216417

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 04-09-2008, 12:37 AM   #8
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



I've tried to run ComboFix several times according to provided guide - it is always stalled just after the run and always on empty blue screen, no information. Any clues?
Aspid is offline  
Old 04-09-2008, 06:51 AM   #9
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Yes...delete your existing version, and try again please.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 04-09-2008, 06:57 AM   #10
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



I've tried to run it again and it ran till stage 3 where is stucked. It has removed 3 files and 1 directory, I don't remember the names. Not it looks better, but I'm not sure for 100%.
Aspid is offline  
Old 04-09-2008, 07:02 AM   #11
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



When did you download the file, please?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 04-09-2008, 07:26 PM   #12
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Yesterday.
Aspid is offline  
Old 04-09-2008, 07:28 PM   #13
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, please delete that version, then follow these instructions.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disconnect from the internet....pull the plug!
  3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  4. Double click on combofix.exe & follow the prompts. Type 1, then press Enter to start the fix.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  8. Re-establish an internet connection.
  9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 06-12-2008, 06:23 AM   #14
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



ComboFix log:
ComboFix 08-06-10.5 - admin_migstoma 2008-06-12 15:59:10.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1251.1.1033.18.687 [GMT 3:00]
Running from: C:\Documents and Settings\admin_migstoma\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\RECYCLER\desktopA.sys
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\packet.dll
C:\WINNT\system32\pthreadVC.dll
C:\WINNT\system32\wanpacket.dll
C:\WINNT\system32\wpcap.dll
G:\Temp\Temporary Internet Files\print.htm
G:\Temp\Temporary Internet Files\tfsImg_AgatUserImage.ico
G:\Temp\Temporary Internet Files\tfsImg_Animated.htm
G:\Temp\Temporary Internet Files\tfsImg_attachEmpty.gif
G:\Temp\Temporary Internet Files\tfsImg_attachFull.bmp
G:\Temp\Temporary Internet Files\tfsImg_blue_bot_lft.gif
G:\Temp\Temporary Internet Files\tfsImg_bot_lft.gif
G:\Temp\Temporary Internet Files\tfsImg_bot_lft_dis.gif
G:\Temp\Temporary Internet Files\tfsImg_bot_rt.gif
G:\Temp\Temporary Internet Files\tfsImg_bot_rt_dis.gif
G:\Temp\Temporary Internet Files\tfsImg_bullet_blue.gif
G:\Temp\Temporary Internet Files\tfsImg_bullet_blue_eng.gif
G:\Temp\Temporary Internet Files\tfsImg_but_asher.gif
G:\Temp\Temporary Internet Files\tfsImg_but_close.gif
G:\Temp\Temporary Internet Files\tfsImg_but_remove.gif
G:\Temp\Temporary Internet Files\tfsImg_but_sgor.gif
G:\Temp\Temporary Internet Files\tfsImg_chazor.gif
G:\Temp\Temporary Internet Files\tfsImg_crnr_bot_left.gif
G:\Temp\Temporary Internet Files\tfsImg_crnr_bot_right.gif
G:\Temp\Temporary Internet Files\tfsImg_crnr_top_left.gif
G:\Temp\Temporary Internet Files\tfsImg_crnr_top_right.gif
G:\Temp\Temporary Internet Files\tfsImg_del_small.GIF
G:\Temp\Temporary Internet Files\tfsImg_deleteSign.ico
G:\Temp\Temporary Internet Files\tfsImg_displayAttach.ico
G:\Temp\Temporary Internet Files\tfsImg_displaySignedForm.ico
G:\Temp\Temporary Internet Files\tfsImg_displaySignerDetails.ico
G:\Temp\Temporary Internet Files\tfsImg_displaySignerStatus.ico
G:\Temp\Temporary Internet Files\tfsImg_dot.gif
G:\Temp\Temporary Internet Files\tfsImg_drop2.GIF
G:\Temp\Temporary Internet Files\tfsImg_englishBackgroundPopup.jpg
G:\Temp\Temporary Internet Files\tfsImg_englishContent.ico
G:\Temp\Temporary Internet Files\tfsImg_exit.ico
G:\Temp\Temporary Internet Files\tfsImg_form1_main_bw.gif
G:\Temp\Temporary Internet Files\tfsImg_Hamshech.gif
G:\Temp\Temporary Internet Files\tfsImg_hebrewBackgroundPopup.jpg
G:\Temp\Temporary Internet Files\tfsImg_hebrewContent.ico
G:\Temp\Temporary Internet Files\tfsImg_id_card.gif
G:\Temp\Temporary Internet Files\tfsImg_ikon_files.gif
G:\Temp\Temporary Internet Files\tfsImg_ikon_help.gif
G:\Temp\Temporary Internet Files\tfsImg_ikon_tohen.gif
G:\Temp\Temporary Internet Files\tfsImg_layout_an_send_end.gif
G:\Temp\Temporary Internet Files\tfsImg_left2.GIF
G:\Temp\Temporary Internet Files\tfsImg_leftTop.gif
G:\Temp\Temporary Internet Files\tfsImg_line.gif
G:\Temp\Temporary Internet Files\tfsImg_line_dis.jpg
G:\Temp\Temporary Internet Files\tfsImg_line_gray.gif
G:\Temp\Temporary Internet Files\tfsImg_line_stretch_across.gif
G:\Temp\Temporary Internet Files\tfsImg_line_stretch_down.gif
G:\Temp\Temporary Internet Files\tfsImg_lookUpWindow.gif
G:\Temp\Temporary Internet Files\tfsImg_lookUpWindowReadonly.gif
G:\Temp\Temporary Internet Files\tfsImg_main.gif
G:\Temp\Temporary Internet Files\tfsImg_mashov.gif
G:\Temp\Temporary Internet Files\tfsImg_office.gif
G:\Temp\Temporary Internet Files\tfsImg_pay_bt.gif
G:\Temp\Temporary Internet Files\tfsImg_payment_dr1.gif
G:\Temp\Temporary Internet Files\tfsImg_print.gif
G:\Temp\Temporary Internet Files\tfsImg_print11.gif
G:\Temp\Temporary Internet Files\tfsImg_printnush.gif
G:\Temp\Temporary Internet Files\tfsImg_right2.GIF
G:\Temp\Temporary Internet Files\tfsImg_rightTop.gif
G:\Temp\Temporary Internet Files\tfsImg_sand_clock3.gif
G:\Temp\Temporary Internet Files\tfsImg_saveAllAttachments.gif
G:\Temp\Temporary Internet Files\tfsImg_saveAllAttachmentsENG.gif
G:\Temp\Temporary Internet Files\tfsImg_saveAttach.ico
G:\Temp\Temporary Internet Files\tfsImg_SaveToFile.ico
G:\Temp\Temporary Internet Files\tfsImg_saveToFileEach.ico
G:\Temp\Temporary Internet Files\tfsImg_shadow_bottom.gif
G:\Temp\Temporary Internet Files\tfsImg_shadow_bottom_dis.gif
G:\Temp\Temporary Internet Files\tfsImg_shadow_Rt.gif
G:\Temp\Temporary Internet Files\tfsImg_shadow_Rt_dis.gif
G:\Temp\Temporary Internet Files\tfsImg_sign.gif
G:\Temp\Temporary Internet Files\tfsImg_sign_unverified.gif
G:\Temp\Temporary Internet Files\tfsImg_signGrey.gif
G:\Temp\Temporary Internet Files\tfsImg_SignInQuestion.gif
G:\Temp\Temporary Internet Files\tfsImg_signYellow.gif
G:\Temp\Temporary Internet Files\tfsImg_square.gif
G:\Temp\Temporary Internet Files\tfsImg_status_Animated.htm
G:\Temp\Temporary Internet Files\tfsImg_statusBar.gif
G:\Temp\Temporary Internet Files\tfsImg_title_with_line.gif
G:\Temp\Temporary Internet Files\tfsImg_titleBG.bmp
G:\Temp\Temporary Internet Files\tfsImg_ToolbarP.png
G:\Temp\Temporary Internet Files\tfsImg_top_lft_dis.gif
G:\Temp\Temporary Internet Files\tfsImg_top_rt_dis.gif
G:\Temp\Temporary Internet Files\tfsImg_trash.ico
G:\Temp\Temporary Internet Files\tfsImg_verifySignature.ico
G:\Temp\Temporary Internet Files\tfsStatusBar.gif

----- BITS: Possible infected sites -----

hxxp://mignt041
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-04 13:46 . 08-06-04 13:48 <DIR> d-------- C:\DBSonarClient
2008-05-13 10:16 . 05-02-16 15:45 446 --a------ C:\ssoff.reg
2008-05-13 10:16 . 05-02-16 12:14 28 --a------ C:\ssoff.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 12:58 --------- dc--a-w C:\Program Files\GetRight
2008-05-14 02:55 --------- dc----w C:\Documents and Settings\admin_migstoma\Application Data\Azureus
2008-04-28 13:53 --------- dc----w C:\Program Files\IBM
2008-04-28 13:47 --------- dc----w C:\Program Files\Informix
2008-04-28 13:45 --------- dc----w C:\Program Files\Advanced Task Scheduler
2008-04-17 11:04 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 02:05 --------- dc----w C:\Program Files\GOV.IL
2008-04-14 02:05 --------- dc----w C:\Program Files\agat
2008-03-31 14:12 1,415,411 ----a-w C:\SDFix.exe
2006-07-18 10:48 271 ---ha-w C:\Program Files\desktop.ini
2006-07-18 10:48 21,952 -c-ha-w C:\Program Files\folder.htt
2006-05-14 10:21 33,240 -c--a-w C:\Documents and Settings\admin_migstoma\Application Data\GDIPFONTCACHEV1.DAT
2005-10-16 13:12 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-05-02 14:14 0 -c--a-w C:\Documents and Settings\admin_migstoma\ccolors.dat
2004-03-16 12:59 408 -c--a-w C:\Documents and Settings\admin_migstoma\starttrace.bat
2003-06-20 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2005-01-16 16:19 4,608 -csha-r C:\WINNT\system\DRIVER\cygcrypt-0.dll
2005-01-16 16:19 1,140,617 --sha-w C:\WINNT\system\DRIVER\cygwin1.dll
2005-01-28 10:30 1,478 -csha-r C:\WINNT\system\DRIVER\servicelogon.dll
2005-12-12 11:38 1,861 -csha-r C:\WINNT\system\DRIVER\servicesmgr.dll
2005-01-28 10:30 1,477 -csha-r C:\WINNT\system\DRIVER\svchostlogon.dll
2005-12-12 11:38 1,575 -csha-r C:\WINNT\system\DRIVER\winlogon.dll
.

------- Sigcheck -------

01-02-05 11:03 8192 a6fd58cadbbaa436859e9a4571394716 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23, on 2008-06-12
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
g:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
g:\Program Files\Symantec AntiVirus\SavRoam.exe
g:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Babylon\Babylon.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Punto Switcher\ps.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mignt025:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.flextronics.com;10.229.*;10.10.10.2;10.10.10.21;192.168.253.83;135.64.105.35;192.114.150.25;192.168.253.13;192.168.253.209;192.168.253.223;152.135.170.7;152.135.176.36;https://edmzsrv.ecitele.com:8415;https://metaweb.ecitele.com;https://university.flextronics.com;https://metaweb.ecitele.com;https://metaweb.ecitele.com:9444/envlp/controller/home;https://sslvpn.gilat.com;10.229.8.24;https://screg.amat.com:8924;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\PROGRA~1\agat\AGForm\AGFORM~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] g:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\ps.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [zRain] C:\Program Files\Weather Alarm Clock\zRain.exe
O4 - HKCU\..\Run: [WeatherAlarmClock] C:\Program Files\Weather Alarm Clock\WeatherAlarmClock.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O8 - Extra context menu item: &Translate - https://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: &Ubersetzen - https://lingvo.yandex.ru/ie5trans1.htm
O8 - Extra context menu item: Download using Download &Express - file://C:\WINNT\system32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: T&raduire - https://lingvo.yandex.ru/ie5trans2.htm
O8 - Extra context menu item: Traduc&ir - https://lingvo.yandex.ru/ie5trans4.htm
O8 - Extra context menu item: Tradurr&e - https://lingvo.yandex.ru/ie5trans3.htm
O8 - Extra context menu item: Yandex &Search - https://lingvo.yandex.ru/ie5search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://www01.bezeq.co.il/BezeqBill/...nt/CfxIEAx.cab
O16 - DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} (TeleControl Class) - https://10.229.8.53/CommandCenterWeb/...1&ccsessionid=
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - https://10.229.9.118/activex/decoder/mpeg4_dec.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1201097963218
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - https://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://10.229.8.70/dana-cached/setu...erSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{977FA0B2-C156-4C6D-AA9B-114422DB5335}: NameServer = 10.229.8.23,10.229.8.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = europe.ad.flextronics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = europe.ad.flextronics.com,mig.flextronics.com
O20 - Winlogon Notify: console32 - C:\WINNT\SYSTEM32\console32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - g:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - G:\Program Files\Pointdev\IDEAL Administration\IACtrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: NetOp Helper ver. 9.00 (2007250) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - g:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - g:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINNT\Pointdev\VNC\WinVNC.exe

--
End of file - 10616 bytes
Aspid is offline  
Old 06-12-2008, 08:38 AM   #15
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Over two months between replies...and not a word about why? Have you been ill? That seems an incredibly long period of time to leave a machine infected.

Before I continue, I need to know if you'll be planning on replying in a more timely fashion.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 06-12-2008, 10:53 AM   #16
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Sorry for such difference between the posts, but I was extremely busy with one project at my workplace. Also I was trying to run ComboFix for several dozens times during last 2 months but only today I had luck with it - it was stucking everytime on different stages.

The machine is still infected - I just blocked http and smtp port for outgoing traffic. From now I'll reply in timely manner. Once again - sorry for such huge delay and thank you for you efforts.
Aspid is offline  
Old 06-12-2008, 11:04 AM   #17
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, good.

One more thing, then we'll get going....the ComboFix log appears to be incomplete. Can you repost it, please?

It should be located at C:\ComboFix.txt

Did you encounter any troubles with this recent version?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 06-12-2008, 02:05 PM   #18
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



I've posted everything that I have in combofix.txt. Yes, I had problem with it - it stucked after the reboot.
Aspid is offline  
Old 06-12-2008, 02:14 PM   #19
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

It may be that Symantec is interfering with ComboFix. Try to prevent it from running at startup as well as disabled.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    https://www.techsupportforum.com/security-center/hijackthis-log-help/235897-help-svchost-exe-making-lot-smtp-http-https-connections.html

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\console32]
    Collect::
    C:\WINNT\system\DRIVER\servicelogon.dll
    C:\WINNT\system\DRIVER\servicesmgr.dll
    C:\WINNT\system\DRIVER\svchostlogon.dll
    C:\WINNT\system\DRIVER\winlogon.dll
    C:\WINNT\SYSTEM32\console32.dll


    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------
  6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 06-12-2008, 02:24 PM   #20
Guest
 
Join Date: Apr 2008
Posts: 22
OS:



Ok, I'll do this on Sunday when I'll be at work, since the PC is there. I'll keep you posted.

Thanks and have a nice weekend.
Aspid is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:25 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts