1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

virus or adware ...

Discussion in 'Malware and Virus Removal Archive' started by prophete, 2007/09/27.

  1. 2007/09/27
    prophete

    prophete Inactive Thread Starter

    Joined:
    2007/05/31
    Messages:
    29
    Likes Received:
    0
    Hi,

    I got a virus/spyware...

    Igot a X in the notification panel with a message "you computer is infected ".
    when i click it i have "your computer is in danger "

    brave sentr is isntalled and i cannot remove it.

    ... please help ....

    This is the HijackThis log

    Thanks a lot ,
    llan


    HijackThis
    Logfile of HijackThis v1.99.1
    Scan saved at 07:01, on 2007-09-28
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\CCM\CcmExec.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Windows\xpupdate.exe
    C:\Program Files\RALINK\Common\RaUI.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\BraveSentry\BraveSentry.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
    O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
    O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BGinfo.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
    O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)
     
    prophete,
    #1
  2. 2007/09/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    noahdfear,
    #2


  3. to hide this advert.

  4. 2007/09/28
    prophete

    prophete Inactive Thread Starter

    Joined:
    2007/05/31
    Messages:
    29
    Likes Received:
    0
    logs required

    Hi please find the lgos,thanks a lot, llan
    (the next log is in the next thread (since it was too much long)
    --------------------------------------


    Deckard's System Scanner v20070905.67
    Run by i026024 on 2007-09-28 18:57:18
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 4 Restore Point(s) --
    4: 2007-09-28 16:57:34 UTC - RP597 - Deckard's System Scanner Restore Point
    3: 2007-09-28 05:47:14 UTC - RP596 - System Checkpoint
    2: 2007-09-27 00:17:38 UTC - RP595 - System Checkpoint
    1: 2007-09-25 23:57:36 UTC - RP594 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    System Drive C: has 1.87 GiB (less than 15%) free.


    -- HijackThis (run as i026024.exe) ---------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 19:00, on 2007-09-28
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\CCM\CcmExec.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\RALINK\Common\RaUI.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\i026024\Desktop\dss.exe
    C:\HJT\i026024.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
    O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
    O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BGinfo.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
    O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)


    -- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

    backup-20070601-082926-983 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sap.com
    backup-20070601-083853-445 O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmpA.tmp.dll
    backup-20070601-083853-482 O2 - BHO: (no name) - {b2340d3f-9e05-4eba-8151-b872b2d52ef0} - C:\WINDOWS\system32\d3draf.dll
    backup-20070601-083853-865 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    backup-20070606-062337-116 O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe "
    backup-20070606-062337-140 O4 - HKLM\..\Run: [nojehsjs.exe] C:\Documents and Settings\All Users\Application Data\nojehsjs.exe
    backup-20070606-062337-528 O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    backup-20070606-062337-546 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    backup-20070606-062337-626 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    backup-20070606-062337-674 O4 - HKLM\..\Run: [zyngtczm.exe] C:\Documents and Settings\All Users\Application Data\zyngtczm.exe
    backup-20070606-062337-721 O3 - Toolbar: AbsoluteToolbar - {7092FE0A-9993-4a48-8949-619A3C4C76B9} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    backup-20070606-062337-786 O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)
    backup-20070606-062337-795 O21 - SSODL: msvcrt64.dll - {09D8F992-8FAC-4826-AC73-DB1F1BFCCCB2} - msvcrt64.dll (file missing)
    backup-20070606-062337-809 O4 - HKLM\..\RunOnce: [z_Oudescription] C:\Program Files\SAP\EUS\_OUdescription.exe
    backup-20070606-062337-929 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    backup-20070606-062337-930 O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    backup-20070606-062337-941 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    backup-20070615-120451-274 O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
    backup-20070615-120451-285 O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\system32\urqpomn.dll (file missing)
    backup-20070615-120451-368 O2 - BHO: (no name) - AutorunsDisabled - (no file)
    backup-20070615-120451-424 O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)
    backup-20070615-120451-460 O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)
    backup-20070615-120451-559 O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)
    backup-20070615-120451-691 O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
    backup-20070615-120451-890 O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    backup-20070707-021123-386 O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)
    backup-20070707-021123-576 O2 - BHO: (no name) - AutorunsDisabled - (no file)
    backup-20070707-021123-603 O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)
    backup-20070707-021123-635 O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
    backup-20070707-021123-813 O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)
    backup-20070707-021123-824 O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\system32\urqpomn.dll (file missing)
    backup-20070707-021123-902 O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    backup-20070707-021123-999 O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
    backup-20070716-095024-137 O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
    backup-20070716-095024-244 O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)
    backup-20070716-095024-336 O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    backup-20070716-095024-465 O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\system32\urqpomn.dll (file missing)
    backup-20070716-095024-548 O2 - BHO: (no name) - AutorunsDisabled - (no file)
    backup-20070716-095024-640 O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
    backup-20070716-095024-870 O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)
    backup-20070716-095024-998 O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)
    backup-20070716-095112-309 O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    backup-20070716-095302-499 O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)
    backup-20070716-095302-546 O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    backup-20070716-100127-102 O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
    backup-20070718-052119-275 O2 - BHO: (no name) - AutorunsDisabled - (no file)
    backup-20070718-052119-487 O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)
    backup-20070718-052119-564 O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
    backup-20070718-052119-749 O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)
    backup-20070718-052119-860 O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>
    R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>
    R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
    R3 Eacfilt (Eacfilt Miniport) - c:\windows\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
    R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
    R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys
    R4 black - c:\windows\system32\drivers\blackdrv.sys <Not Verified; Internet Security Systems, Inc.; ICEpac>

    S2 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
    S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
    S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
    S3 prepdrvr (SMS Process Event Driver) - c:\windows\system32\ccm\prepdrv.sys <Not Verified; Microsoft Corporation; Systems Management Server>
    S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
    S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
    S3 SANDRA - c:\program files\sisoftware\sisoftware sandra pro home 2007\sandra.sys (file missing)
    S4 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 BlackICE - "c:\program files\iss\isssensors\desktopprotection\blackd.exe" <Not Verified; Internet Security Systems, Inc.; Internet Security Systems Inc. blackd>
    R2 CcmExec (SMS Agent Host) - c:\windows\system32\ccm\ccmexec.exe <Not Verified; Microsoft Corporation; Systems Management Server>
    R2 DNTUS26 (DameWare NT Utilities 2.6) - c:\windows\system32\dntus26.exe <Not Verified; DameWare Development; DameWare Development Remote Command Server>
    R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development; DameWare Development DWRCS>
    R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

    S2 McAfeeFramework (McAfee Framework Service) - "c:\program files\network associates\common framework\frameworkservice.exe" /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
    S2 Rescue_Account - c:\windows\srvany.exe (file missing)
    S3 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere>
    S3 RapApp - "c:\program files\iss\isssensors\desktopprotection\rapapp.exe" <Not Verified; Internet Security Systems, Inc.; Internet Security Systems, Inc. Rap Protection System>


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID:
    Description: Multimedia Controller
    Device ID: PCI\VEN_1105&DEV_8300&SUBSYS_00000000&REV_02\4&3A33F01C&0&48F0
    Manufacturer:
    Name: Multimedia Controller
    PNP Device ID: PCI\VEN_1105&DEV_8300&SUBSYS_00000000&REV_02\4&3A33F01C&0&48F0
    Service:

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Ralink Turbo Wireless LAN Card
    Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_25611814&REV_00\4&3A33F01C&0&68F0
    Manufacturer: Ralink Technology, Inc.
    Name: Ralink Turbo Wireless LAN Card
    PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_25611814&REV_00\4&3A33F01C&0&68F0
    Service: RT61


    -- Files created between 2007-08-28 and 2007-09-28 -----------------------------

    2007-09-28 18:57:45 0 d-------- C:\Program Files\Trend Micro
    2007-09-27 05:21:46 0 d-------- C:\Program Files\BraveSentry
    2007-09-27 05:21:17 1174840 --a------ C:\Documents and Settings\i026024\Application Data\Install.dat
    2007-09-27 05:21:16 52736 --a------ C:\WINDOWS\xpupdate.exe


    -- Find3M Report ---------------------------------------------------------------

    Nothing modified in this timespan.


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{7092FE0A-9993-4A48-8949-619A3C4C76B9} "= C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll [2006-01-04 15:35 237568]

    [-HKEY_CLASSES_ROOT\CLSID\{7092FE0A-9993-4A48-8949-619A3C4C76B9}]
    [HKEY_CLASSES_ROOT\DBrowser.DBrowserBar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{5141BCBA-3395-4c83-B723-B7BF1FBC9E24}]
    [HKEY_CLASSES_ROOT\DBrowser.DBrowserBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
    "LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
    "CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
    "AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
    "LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
    "UnlockerAssistant "= "C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
    "LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []
    "Windows update loader "= "C:\Windows\xpupdate.exe" [2007-05-31 02:58]
    "Brave-Sentry "= "C:\Program Files\BraveSentry\BraveSentry.exe" [2007-09-27 05:21]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
    Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
    BGinfo.lnk - C:\WINDOWS\Bginfo\Bginfo.exe [2005-06-16 16:04:24]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-10-13 19:41:46]
    Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-10-18 18:59:43]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "Wallpaper "=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoRemoteRecursiveEvents "=1 (0x1)
    "NoMSAppLogo5ChannelNotify "=0 (0x0)
    "NoToolbarCustomize "=0 (0x0)
    "NoBandCustomize "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFavoritesMenu "=0 (0x0)
    "NoSetActiveDesktop "=0 (0x0)
    "NoWindowsUpdate "=0 (0x0)
    "NoChangeStartMenu "=0 (0x0)
    "NoRecentDocsMenu "=0 (0x0)
    "NoRecentDocsHistory "=0 (0x0)
    "ClearRecentDocsOnExit "=0 (0x0)
    "NoLogoff "=0 (0x0)
    "NoSetTaskbar "=0 (0x0)
    "NoTrayContextMenu "=0 (0x0)
    "NoFileMenu "=0 (0x0)
    "EnforceShellExtensionSecurity "=0 (0x0)
    "LinkResolveIgnoreLinkInfo "=0 (0x0)
    "NoNetConnectDisconnect "=0 (0x0)
    "NoDeletePrinter "=0 (0x0)
    "NoAddPrinter "=0 (0x0)
    "NoPrinterTabs "=0 (0x0)
    "Btn_Back "=0 (0x0)
    "Btn_Forward "=0 (0x0)
    "Btn_Stop "=0 (0x0)
    "Btn_Refresh "=0 (0x0)
    "Btn_Home "=0 (0x0)
    "Btn_Search "=0 (0x0)
    "Btn_History "=0 (0x0)
    "Btn_Favorites "=0 (0x0)
    "Btn_Media "=0 (0x0)
    "Btn_Folders "=0 (0x0)
    "Btn_Fullscreen "=0 (0x0)
    "Btn_Tools "=0 (0x0)
    "Btn_MailNews "=0 (0x0)
    "Btn_Size "=0 (0x0)
    "Btn_Print "=0 (0x0)
    "Btn_Edit "=0 (0x0)
    "Btn_Discussions "=0 (0x0)
    "Btn_Cut "=0 (0x0)
    "Btn_Copy "=0 (0x0)
    "Btn_Paste "=0 (0x0)
    "Btn_Encoding "=0 (0x0)
    "Btn_PrintPreview "=0 (0x0)
    "NoActiveDesktop "=0 (0x0)
    "ForceActiveDesktopOn "=1 (0x1)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429} "= C:\PROGRA~1\DVDIDL~1\DVDShell.dll [2003-01-29 14:58 40960]
    "{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= C:\WINDOWS\system32\urqpomn.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    PCANotify.dll 2002-02-15 12:51 24638 C:\WINDOWS\system32\PCANotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
    backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
    backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
    C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    C:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE




    -- End of Deckard's System Scanner: finished at 2007-09-28 19:01:19 ------------
     
    prophete,
    #3
  5. 2007/09/28
    prophete

    prophete Inactive Thread Starter

    Joined:
    2007/05/31
    Messages:
    29
    Likes Received:
    0
    this is the second log (the Deckard's one is in the previous thread)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:25, on 2007-09-28
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\CCM\CcmExec.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\RALINK\Common\RaUI.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
    O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
    O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-20 Startup: Set_IE_Settings.vbs (User 'NETWORK SERVICE')
    O4 - S-1-5-20 Startup: TA_Start.lnk = C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun11.exe (User 'NETWORK SERVICE')
    O4 - S-1-5-18 Startup: Fix_GUI620.vbs (User 'SYSTEM')
    O4 - S-1-5-18 Startup: LoadSAPDefault.lnk = C:\Program Files\SAP\EUS\!startup.vbs (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Set_IE_Settings.vbs (User 'SYSTEM')
    O4 - .DEFAULT Startup: Fix_GUI620.vbs (User 'Default user')
    O4 - .DEFAULT Startup: LoadSAPDefault.lnk = C:\Program Files\SAP\EUS\!startup.vbs (User 'Default user')
    O4 - .DEFAULT Startup: Set_IE_Settings.vbs (User 'Default user')
    O4 - .DEFAULT User Startup: Fix_GUI620.vbs (User 'Default user')
    O4 - .DEFAULT User Startup: LoadSAPDefault.lnk = C:\Program Files\SAP\EUS\!startup.vbs (User 'Default user')
    O4 - .DEFAULT User Startup: Set_IE_Settings.vbs (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BGinfo.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
    O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)

    --
    End of file - 10151 bytes
     
    prophete,
    #4
  6. 2007/09/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Download SmitfraudFix by S!Ri, saving it to the desktop.

    • Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.
    • Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.
    • You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.
    • If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.
    • Reboot to normal mode when the tool completes.

    Post the contents of C:\rapport.txt and a fresh Deckards System Scanner log.
     
    noahdfear,
    #5
  7. 2007/10/04
    prophete

    prophete Inactive Thread Starter

    Joined:
    2007/05/31
    Messages:
    29
    Likes Received:
    0
    It seems ok in the meanwile. thanks !

    Thanks
     
    prophete,
    #6
  8. 2007/10/04
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Is there a reason you didn't post the logs I requested? There may well be leftovers that should be removed as well.
     
    noahdfear,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...