Help remove virus drivecleaner and more...

log and avenger

i dont have avenger installed (just the directory in C: and it his empty)

The HJT log is postet in the previous answer after the Combofix log

thanks
llan

 

No, that's a start up log, I need the normal HJT log please.

 

sorry .. but where i populate this log in the HJT tool?

thanks
llan

 

Open HJT then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'.

Paste this new log into your next reply.

 

log of Hjt

Thansk
llan

Logfile of HijackThis v1.99.1
Scan saved at 22:40, on 2007-06-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\system32\urqpomn.dll (file missing)
O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BGinfo.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)
O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)

 

Ok, looks like we have one more remaining and we'll use a secondary type of deletion method to get it.

First:
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop nor in any temp folders.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Then download Unlocker.

Follow the prompts to install.

Once installed, Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then locate this file:
wuauclt3.exe
Right-click it and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

While still in 'Safe Mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\system32\urqpomn.dll (file missing)

O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)

O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)


O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe


O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)


Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

prophete, I'm sorry but I accidentally deleted your last post, apologies for that, can you please post a new set of logs, thanks.

 

new logs

Hi,

for some reasons, files as the wuauclt3.exe stay in the log.
I didnt find the file in the file explorer (even after showing the hidden files)

Please find the logs below.

Thanks,
llan

1. CF
"i026024" - 2007-07-16 10:23:00 Service Pack 2 NTFS [SAFE MODE]
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\i026024\Desktop\ "


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 10:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-07-16 10:08 <DIR> d-------- C:\Program Files\Security Task Manager


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 20:20:42 3,888 ----a-w C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-06 08:01:24 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-06 07:55:25 -------- d-----w C:\Program Files\MSXML 4.0
2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1C39007B-60D0-45F5-AD06-FED06D92A249}=C:\WINDOWS\system32\mllkj.dll []
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xkoobwyg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" []
"UnlockerAssistant "= "C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 20:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)
"NoActiveDesktopChanges "=0
"NoClose "=0
"NoSetFolders "=0
"NoViewContextMenu "=0 (0x0)
"NoSaveSettings "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= "C:\WINDOWS\system32\urqpomn.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 10:53:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 10:54:36
C:\ComboFix-quarantined-files.txt ... 2007-07-16 10:54
C:\ComboFix2.txt ... 2007-07-07 03:00
C:\ComboFix3.txt ... 2007-06-13 08:26

--- E O F ---



HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:38, on 2007-07-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BGinfo.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)
O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)

 

Ok, lets get a fresh version of SDFix, from the same link I provided earlier. There have been numourus updates since we started this, 6 weeks ago.

Run it and post the log. I have a sneaky feeling it's going to find a couple of items which perhaps were not in it's target data base.

Once it has run its course, run HJT again and if any of the following are found, please do as instructed below.

Click the 'Start' button, select 'Run' and type 'cmd' then hit 'enter'. This will bring up the command prompt. At the prompt, type the following bolded hitting 'Enter' after each:
sc stop msitsk
sc delete msitsk

sc stop WinShr
sc delete WinShr

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: (no name) - {1C39007B-60D0-45F5-AD06-FED06D92A249} - C:\WINDOWS\system32\mllkj.dll (file missing)

O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll

O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\xkoobwyg.dll (file missing)


O4 - HKLM\..\Run: [wuauclt3] wuauclt3.exe


O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: Windows Scheduler ( WinShr ) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)

Reboot post a new HJT log back into this thread along with the SDFix log and advise of any ongoing or new problems.

 

new logs..

Hi,

Its seems to be better now

please find the logs below
(BTW - i am still offline - i do not connect to the next until u tell me so.. ;-) )

what next ?

Thanks,
Ilan


SDFix: Version 1.91

Run by i026024 on 2007-07-17 at 19:46

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\HJT\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\LocalService\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\7.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\7.dllb - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun10.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun4.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun5.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun6.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun7.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun8.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun9.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun10.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun11.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun12.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun13.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun14.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun15.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun16.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun17.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun18.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun2.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun4.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun6.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun7.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun8.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun9.exe - Deleted
C:\WINDOWS\system32\help.txt - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files:
---------------

Backups Folder: - C:\HJT\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\DominateGame\Setup.exe
C:\Program Files\Picasa2\setup.exe
C:\Documents and Settings\i026024\My Documents\~WRL0003.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0005.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0148.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0223.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0398.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0586.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0700.tmp
C:\Documents and Settings\i026024\My Documents\~WRL0778.tmp
C:\Documents and Settings\i026024\My Documents\~WRL1247.tmp
C:\Documents and Settings\i026024\My Documents\~WRL1372.tmp
C:\Documents and Settings\i026024\My Documents\~WRL1468.tmp
C:\Documents and Settings\i026024\My Documents\~WRL1607.tmp
C:\Documents and Settings\i026024\My Documents\~WRL1744.tmp
C:\Documents and Settings\i026024\My Documents\~WRL2847.tmp
C:\Documents and Settings\i026024\My Documents\~WRL2896.tmp
C:\Documents and Settings\i026024\My Documents\~WRL3104.tmp
C:\Documents and Settings\i026024\My Documents\~WRL3232.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished




Logfile of HijackThis v1.99.1
Scan saved at 05:26, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Security Task Manager\TaskMan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BGinfo.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)

 

Ok, everything looks good, but I have one question about 'Security Task Manager'. Did you install this application? If so we are done.

Let me know.

 

Security task manager

yes i installed it but I removed it after sending you the logs.

I will connect to internet and see if i am ok.

THANKS A LOT FOR YOUR HELP AND PATIENCE !!!!!!!!!!!!!!!!!!

llan

 

Ok, I'll leave this thread open until I get the 'all is good' report.

 

Working !!!!!!!!!!

Thanks you very much !!

it work until now ;-)
I still have another small problem but different, therefore i will open a different thread on it.

THANKS AGAIN !
llan

 

Glad we could be of assistance.

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.