Solved It can happen to anyone

[Resolved]It can happen to anyone

Hi guys. great site.
Im having a problem with a trojan horse that wont give up.

here is it:
Sytem error
Attention (my name). Some dangerous trojan horse detected in your system. Microsoft XP files corrupted. Click ok to download antispyware.

Now, I've seen the last posts and did exactly what it says but the problem is still there.
This is the log file from the hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:02, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\RunDll32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 199.203.106.24 gilat-ex
O1 - Hosts: 199.203.106.24 mail.gilat.com
O1 - Hosts: 199.203.106.24 smarthost
O1 - Hosts: 199.203.106.28 gilat400
O1 - Hosts: 199.203.209.2 gilat-fw
O1 - Hosts: 192.115.115.67 gilat02
O1 - Hosts: 62.0.4.253 gjobs.gilat.com
O1 - Hosts: 199.203.106.30 gna1
O1 - Hosts: 199.203.106.30 gna1.gilat.com
O1 - Hosts: 199.203.106.31 gna2
O1 - Hosts: 199.203.106.31 gna2.gilat.com
O1 - Hosts: 199.203.106.32 gna3
O1 - Hosts: 199.203.106.32 gna3.gilat.com
O1 - Hosts: 62.0.4.253 sip.gilat.com
O1 - Hosts: 62.0.4.237 sslvpn.gilat.com
O2 - BHO: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - D:\Program Files\Netex Client\netextb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF6C2054-A2AC-4C26-A9A6-24C18233F452} - D:\WINDOWS\system32\iifcyyWM.dll (file missing)
O2 - BHO: Sigma plugin - {E913BA95-1ADE-4D25-AC0E-E27BD8E1E43D} - D:\WINDOWS\pusant8x.dll
O2 - BHO: Band Class - {EFAE365E-DB89-4353-A952-EB035103204F} - D:\Program Files\Netex Client\netexa.dll
O3 - Toolbar: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - D:\Program Files\Netex Client\netextb.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - D:\Program Files\Netex Client\netextb.dll
O9 - Extra 'Tools' menuitem: Netex - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - D:\Program Files\Netex Client\netextb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {49FB2306-47C7-485E-BAA5-66BE3E285DC6} (OpenWorlds X3D/VRML Browser Class) - http://www.openworlds.com/installer/owatl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {57712586-627E-11D2-B30B-C498B1CB6A7A} (SummitOCX) - http://www.summit3d.com/summitocx.cab
O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/indualityplugin/indualityplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164036654359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe

--
End of file - 8007 bytes

Please help.

 

Hi yupps
Welcome to Windowsbbs.

Sorry for the wait. been kind of busy here.

Did you add all those entries to your Host file?
Please let me know.

Now please so this.

Now download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thanks
Geri

 

Hi Gari,

Thanks a lot. I already fixed the problem using this thread:
http://www.windowsbbs.com/showthread.php?t=74210

What I did is fixing this item in HiJackThis:
O2 - BHO: Sigma plugin - {7DBF8390-552B-4D55-9F62-00D032032691} - C:\WINDOWS\pasant32.dll

and delete the pasant32.dll file.

I also scanned with MBAM again and it's clean.
I attach a new HiJackThis just to be on the safe side.
Thanks a lot for your good work. saved me a lot of headache .

HiJackThis Log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:15, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\Messenger\Msmsgs.exe
D:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.netvision.net.il:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 199.203.106.24 gilat-ex
O1 - Hosts: 199.203.106.24 mail.gilat.com
O1 - Hosts: 199.203.106.24 smarthost
O1 - Hosts: 199.203.106.28 gilat400
O1 - Hosts: 199.203.209.2 gilat-fw
O1 - Hosts: 192.115.115.67 gilat02
O1 - Hosts: 62.0.4.253 gjobs.gilat.com
O1 - Hosts: 199.203.106.30 gna1
O1 - Hosts: 199.203.106.30 gna1.gilat.com
O1 - Hosts: 199.203.106.31 gna2
O1 - Hosts: 199.203.106.31 gna2.gilat.com
O1 - Hosts: 199.203.106.32 gna3
O1 - Hosts: 199.203.106.32 gna3.gilat.com
O1 - Hosts: 62.0.4.253 sip.gilat.com
O1 - Hosts: 62.0.4.237 sslvpn.gilat.com
O2 - BHO: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - D:\Program Files\Netex Client\netextb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF6C2054-A2AC-4C26-A9A6-24C18233F452} - D:\WINDOWS\system32\iifcyyWM.dll (file missing)
O2 - BHO: Band Class - {EFAE365E-DB89-4353-A952-EB035103204F} - D:\Program Files\Netex Client\netexa.dll
O3 - Toolbar: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - D:\Program Files\Netex Client\netextb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\Run: [DynAdvance Notifier] D:\Program Files\DynAdvance\DynAdvance Notifier\MailNotifier.Exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [wben] "D:\Program Files\Starfield\Desktop Notifier\wben.exe "
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - D:\Program Files\Netex Client\netextb.dll
O9 - Extra 'Tools' menuitem: Netex - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - D:\Program Files\Netex Client\netextb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {49FB2306-47C7-485E-BAA5-66BE3E285DC6} (OpenWorlds X3D/VRML Browser Class) - http://www.openworlds.com/installer/owatl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {57712586-627E-11D2-B30B-C498B1CB6A7A} (SummitOCX) - http://www.summit3d.com/summitocx.cab
O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/indualityplugin/indualityplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164036654359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe
O24 - Desktop Component 0: (no name) - file:///D:/DOCUME~1/Lior/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9577 bytes

 

Hi yupps
OK

I would still like to know about the hosts file, did you add those entries?

Also this has shown up, do you know what it is? Desktop backroung pic maybe?
O24 - Desktop Component 0: (no name) - file:///D:/DOCUME~1/Lior/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
If you don't know then fix it in the step below.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF6C2054-A2AC-4C26-A9A6-24C18233F452} - D:\WINDOWS\system32\iifcyyWM.dll (file missing)
O24 - Desktop Component 0: (no name) - file:///D:/DOCUME~1/Lior/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg <<This if you don't know what it is.

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot yor computer.

Now run a on-line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Hi Gari,

I'm sorry but I don't understand what are the host files so I can't answer your question.
I did as you recommended. and fixed the two entries using the HiJackThis.
the clip_image002.jpg is something I know so thats ok.
Many thanks for your help.


Here is the Kasperski log:

Sunday, June 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 20:47:24
Records in database: 863969


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics
Files scanned 169270
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:55:21

File name Threat name Threats count
C:\1.exe Infected: Trojan-Downloader.Win32.Delf.jbz 1

The selected area was scanned.

 

Hi yupps

These are in your host file.

O1 - Hosts: 199.203.106.24 gilat-ex
O1 - Hosts: 199.203.106.24 mail.gilat.com
O1 - Hosts: 199.203.106.24 smarthost
O1 - Hosts: 199.203.106.28 gilat400
O1 - Hosts: 199.203.209.2 gilat-fw
O1 - Hosts: 192.115.115.67 gilat02
O1 - Hosts: 62.0.4.253 gjobs.gilat.com
O1 - Hosts: 199.203.106.30 gna1
O1 - Hosts: 199.203.106.30 gna1.gilat.com
O1 - Hosts: 199.203.106.31 gna2
O1 - Hosts: 199.203.106.31 gna2.gilat.com
O1 - Hosts: 199.203.106.32 gna3
O1 - Hosts: 199.203.106.32 gna3.gilat.com
O1 - Hosts: 62.0.4.253 sip.gilat.com
O1 - Hosts: 62.0.4.237 sslvpn.gilat.com

Do you know what any of those web site are?

Because of the infection that Kaspersky turned up we need to run another tool.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Cobofix log. Let me know about those sites.

Thanks
Geri

 

Hi Geri,

The hosts files are something very old that I dont need anymore. However, after running the combofix they disappeared so I guess it's ok.

Thanks.

This is combofix log file:

ComboFix 08-06-12.2 - Lior 06/15/2008 9:24:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.663 [GMT 3:00]
Running from: D:\Documents and Settings\Lior\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Lior\Application Data\macromedia\Flash Player\#SharedObjects\97WUGYQB\iforex.com
D:\Documents and Settings\Lior\Application Data\macromedia\Flash Player\#SharedObjects\97WUGYQB\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
D:\Documents and Settings\Lior\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
D:\Documents and Settings\Lior\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
D:\WINDOWS\system32\sysmwwod.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_narqwe


((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 06:30 --------- d-----w D:\Program Files\Babylon
2008-06-14 18:38 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-06-14 17:03 --------- d-----w D:\Program Files\Java
2008-06-14 17:01 --------- d-----w D:\Program Files\Common Files\Java
2008-06-14 16:12 --------- d-----w D:\Program Files\MP3 WAV WMA Converter
2008-06-13 16:34 --------- d-----w D:\Program Files\Panda Security
2008-06-13 14:50 --------- d-----w D:\Program Files\Alwil Software
2008-06-13 13:37 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-13 12:54 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 12:54 --------- d-----w D:\Documents and Settings\Lior\Application Data\Malwarebytes
2008-06-13 12:54 --------- d-----w D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 12:34 --------- d-----w D:\Program Files\eMule
2008-06-13 11:46 --------- d-----w D:\Program Files\Trend Micro
2008-06-10 16:02 34,296 ----a-w D:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 16:02 15,864 ----a-w D:\WINDOWS\system32\drivers\mbam.sys
2008-06-10 09:13 --------- d-----w D:\Documents and Settings\Lior\Application Data\AdobeUM
2008-06-08 14:42 --------- d-----w D:\Program Files\Unity
2008-06-08 13:52 --------- d-----w D:\Program Files\MagicISO
2008-06-02 13:20 34,536 ----a-w D:\Documents and Settings\Lior\Application Data\GDIPFONTCACHEV1.DAT
2008-06-01 13:16 --------- d-----w D:\Documents and Settings\Lior\Application Data\Blender Foundation
2008-06-01 13:15 --------- d-----w D:\Program Files\Blender Foundation
2008-06-01 13:15 --------- d-----w D:\Documents and Settings\All Users\Application Data\Blender Foundation
2008-05-29 11:26 --------- d-----w D:\Program Files\Starfield
2008-05-27 11:42 --------- d-----w D:\Documents and Settings\Lior\Application Data\Pelican Crossing, Inc
2008-05-27 11:41 --------- d-----w D:\Program Files\Pelican Crossing
2008-05-26 13:40 --------- d-----w D:\Documents and Settings\Lior\Application Data\Pelican Crossing
2008-05-25 15:37 --------- d-----w D:\Program Files\Motherboard Monitor 5
2008-05-23 12:16 --------- d-----w D:\Documents and Settings\Lior\Application Data\3B
2008-05-22 16:13 --------- d-----w D:\Program Files\Bitmanagement Software
2008-05-22 07:25 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-22 07:24 --------- d-----w D:\Program Files\Lavasoft
2008-05-22 07:22 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 07:19 --------- d-----w D:\Documents and Settings\Lior\Application Data\Lavasoft
2008-05-20 10:19 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-05-19 10:53 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-05-19 10:53 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-05-19 09:34 --------- d-----w D:\Program Files\3B
2008-05-14 09:40 --------- d-----w D:\Program Files\GeneratorWeb Develop
2008-05-11 14:27 --------- d-----w D:\Program Files\Kinset
2008-05-11 09:03 --------- d-----w D:\Program Files\FTP Commander
2008-05-08 12:28 202,752 ----a-w D:\WINDOWS\system32\drivers\rmcast.sys
2008-04-30 19:41 --------- d-----w D:\Program Files\SecondLife
2008-04-29 08:20 15,648 ----a-w D:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w D:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w D:\WINDOWS\system32\drivers\Awrtpd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 PM 15360]
"Babylon Translator "= "D:\Program Files\Babylon\Babylon.exe" [02/08/2001 04:38 PM 1744896]
"DynAdvance Notifier "= "D:\Program Files\DynAdvance\DynAdvance Notifier\MailNotifier.Exe" [ ]
"wben "= "D:\Program Files\Starfield\Desktop Notifier\wben.exe" [11/06/2007 02:12 PM 312024]
"updateMgr "= "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "D:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM 7700480]
"nwiz "= "nwiz.exe" [10/22/2006 01:22 PM 1622016 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "D:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 01:22 PM 86016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2} "= "D:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 12:48 AM 479232]
"QuickTime Task "= "D:\Program Files\QuickTime\qttask.exe" [06/24/2006 07:16 PM 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Winpower "= "C:\Program Files\UpsPilot\Winpower.exe" [02/19/2007 05:44 PM 112640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 03:00 PM 15360]
"Nokia.PCSync "= "D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/07/2007 06:35 PM 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FolderGuard]
D:\Program Files\Folder Guard Pro XP\FGuard32.dll 05/23/1771 02:25 PM 696320 D:\Program Files\Folder Guard Pro XP\FGuard32.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Tray Application.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Tray Application.lnk
backup=D:\WINDOWS\pss\Tray Application.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 08/22/2004 06:05 PM 81920 D:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]
--a------ 08/27/2004 12:43 AM 56320 D:\WINDOWS\system32\DeltTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 02/23/2006 05:45 PM 278528 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Delta Taskbar Icon]
--a------ 08/27/2004 12:43 AM 56320 D:\WINDOWS\System32\DeltTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 10/13/2004 07:24 PM 1694208 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 07/09/2001 12:50 PM 155648 D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
D:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 12/10/2007 11:12 AM 695808 D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 06/24/2006 07:16 PM 282624 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"D:\\Program Files\\hebMule\\eMule.exe "=
"D:\\Program Files\\eMule\\emule.exe "=
"D:\\Program Files\\iTunes\\iTunes.exe "=
"D:\\Program Files\\QuickTime\\QuickTimePlayer.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"D:\\Program Files\\MSN Messenger\\livecall.exe "=
"D:\\Program Files\\SecondLife\\SLVoice.exe "=
"D:\\Program Files\\3DGPAi1\\Emaga6\\tge.exe "=
"D:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP "= 4662:TCP:Emule--
"4672:UDP "= 4672:UDP:Emule----

R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [05/16/2008 02:20 AM]
R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [05/16/2008 02:16 AM]
R2 FGUARD32;FGUARD32;D:\Program Files\Folder Guard Pro XP\FGUARD32.SYS [05/23/1771 02:25 PM]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 09:30:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
.
**************************************************************************
.
Completion time: 06/15/2008 9:37:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 06:36:23

Pre-Run: 45,305,155,584 bytes free
Post-Run: 45,454,008,320 bytes free

187 --- E O F --- 2008-06-11 00:11:20


this is the HiJackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58:54, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\RunDll32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.netvision.net.il:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - D:\Program Files\Netex Client\netextb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Band Class - {EFAE365E-DB89-4353-A952-EB035103204F} - D:\Program Files\Netex Client\netexa.dll
O3 - Toolbar: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - D:\Program Files\Netex Client\netextb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\Run: [DynAdvance Notifier] D:\Program Files\DynAdvance\DynAdvance Notifier\MailNotifier.Exe
O4 - HKCU\..\Run: [wben] "D:\Program Files\Starfield\Desktop Notifier\wben.exe "
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - D:\Program Files\Netex Client\netextb.dll
O9 - Extra 'Tools' menuitem: Netex - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - D:\Program Files\Netex Client\netextb.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {49FB2306-47C7-485E-BAA5-66BE3E285DC6} (OpenWorlds X3D/VRML Browser Class) - http://www.openworlds.com/installer/owatl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {57712586-627E-11D2-B30B-C498B1CB6A7A} (SummitOCX) - http://www.summit3d.com/summitocx.cab
O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/indualityplugin/indualityplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164036654359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL...-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe
O24 - Desktop Component 0: (no name) - file:///D:/DOCUME~1/Lior/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9209 bytes

 

Hi
Ok what is your C:\ Drive? because that is where Kaspersky located the infection.

We will need to move Combofix to that drive and run it also, but before you do let me know what your C drive is and what you use it for,

Thanks
Geri

 

Geri,

I have two operating systems:
The first one is located at D drive and used for internet office stuff.
The second located at C: and used for music creation. This OS does not have networking ability and most of the windows utilities are disabled in order to enhance performance.

Thanks

 

Hi
OK, well Trojan-Downloader.Win32.Delf.jbz 1 can be a nasty infection.

If you don't wish to run combofix on that drive, I would at least go in and delete this file.
C:\1.exe

I'll look through your CF log that you posted and let you knw what else needs to be done.

Geri

 

Hi Geri,

Well, I did run the combofix on drive C: and the 1.exe has disappeared.
Does my computer clean now?

Many thanks

 

Hi yupps
Let's get one more Kaspersky scan to make sure.

Thanks
Geri

 

Ok Geri,

It all clean. Thank you very very much for the help. Saved me big troubles.

 

Hi yupps
OK That's good to hear.
Glad I could help out.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely
Geri