There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox freeze google hard drive hardware hijackthis internet laptop logon logs off macro malware microsoft motherboard network networking problem ram recovery router screen slow software sound trojan usb userinit.exe virus vista wifi windows windows 7 windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
HJT log. Problems (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 2 1 2
 
Thread Tools
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
26-Nov-2006, 01:01 PM #1
HJT log. Problems
Hi, I.m having problems with something highjacking my home page, yahoo, and trying to open 5 different ones.
When typing an adress from RUN I get a aplication not found message.
Shortcuts that I had now can't be opened.

Typing a URL from an open window, Yahoo for exemple, will get me to the adress without any problem.

I run WINXP pro with SP2 and currently updated. I already did a scan with Adaware, SpyBot and Ewido. Things that I found got fixed, but aparently I didn't find everything, ar whatever it is it just retourns.

Here is my HJT log. There are many Host files, but it is because I'm on a LAN sharing a Network.
Thank you in advance. sebastian pons

Logfile of HijackThis v1.99.1
Scan saved at 19:45:50, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\include\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://zzz.uv.ro/adver.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zzz.uv.ro/adver.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://zzz.uv.ro/adver.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://zzz.uv.ro/adver.html/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micro$oft IE
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run=c:\windows\system32\include\svchost.exe
O1 - Hosts: 3.3.4.99 rotem-fr
O1 - Hosts: 40.1.1.12 mpl-natalie
O1 - Hosts: 40.1.1.13 mpl-alex
O1 - Hosts: 40.1.1.250 mpl-ibm
O1 - Hosts: 20.20.20.27 silver27
O1 - Hosts: 20.20.20.250 silverbyte
O1 - Hosts: 172.16.0.1 yotvata-router
O1 - Hosts: 172.16.0.103 pserver2
O1 - Hosts: 172.16.0.104 yt-pserver4
O1 - Hosts: 172.16.0.105 Yt-pserver5
O1 - Hosts: 172.16.0.106 pserver-binyan1
O1 - Hosts: 172.16.0.107 pserver-binyan2
O1 - Hosts: 172.16.0.112 yotvata-nt
O1 - Hosts: 172.16.0.112 yotvata
O1 - Hosts: 172.16.0.113 yotvata-ts
O1 - Hosts: 172.16.0.114 yotvata-ts2
O1 - Hosts: 172.16.0.117 yotvata-office
O1 - Hosts: 172.16.0.118 yotvata-office2
O1 - Hosts: 172.16.0.119 tourism-office
O1 - Hosts: 172.16.0.120 shaon-psyco
O1 - Hosts: 172.16.0.179 yt-studio
O1 - Hosts: 172.16.0.175 yt-gadash
O1 - Hosts: 172.16.0.177 yt-costs
O1 - Hosts: 172.16.0.180 yt-restaurant
O1 - Hosts: 172.16.0.181 yt-cashier2
O1 - Hosts: 172.16.0.182 yt-cashier1
O1 - Hosts: 172.16.0.183 yt-cashier3
O1 - Hosts: 172.16.0.184 yt-cashier4
O1 - Hosts: 172.16.0.185 yt-cashier5
O1 - Hosts: 172.16.0.186 yt-cashier6
O1 - Hosts: 172.16.0.187 yt-cashier7
O1 - Hosts: 172.16.0.188 yt-cashier8
O1 - Hosts: 172.16.0.190 yt-flight
O1 - Hosts: 172.16.0.191 yt-minimarket1
O1 - Hosts: 172.16.0.192 yt-minimarket2
O1 - Hosts: 172.16.0.193 yt-minimarket3
O1 - Hosts: 172.16.0.195 yotvata-dates
O1 - Hosts: 172.16.0.196 yt-archive
O1 - Hosts: 172.16.0.197 yt-garage
O1 - Hosts: 172.16.0.198 yt-welding
O1 - Hosts: 172.16.0.199 yt-yotitext
O1 - Hosts: 172.16.0.200 yotvata-miznon
O1 - Hosts: 172.16.0.201 yt-gizbar
O1 - Hosts: 172.16.0.202 yt-erez
O1 - Hosts: 172.16.0.203 yt-atzmon
O1 - Hosts: 172.16.0.204 yt-construction
O1 - Hosts: 172.16.0.205 yt-ira
O1 - Hosts: 172.16.0.206 yt-lena
O1 - Hosts: 172.16.0.207 yt-arie
O1 - Hosts: 172.16.0.208 yt-orit
O1 - Hosts: 172.16.0.209 yt-felicia
O1 - Hosts: 172.16.0.210 yt-capon
O1 - Hosts: 172.16.0.211 yt-tirza
O1 - Hosts: 172.16.0.212 yt-sec2
O1 - Hosts: 172.16.0.213 yt-malka
O1 - Hosts: 172.16.0.214 yt-mp
O1 - Hosts: 172.16.0.216 yt-naomi
O1 - Hosts: 172.16.0.217 yt-secretary
O1 - Hosts: 172.16.0.219 yt-services
O1 - Hosts: 172.16.0.220 yt-manager
O1 - Hosts: 172.16.0.221 yt-electricity
O1 - Hosts: 172.16.0.222 yt-economy
O1 - Hosts: 172.16.0.223 yt-clinic
O1 - Hosts: 172.16.0.224 yt-wm
O1 - Hosts: 172.16.0.226 yt-warehouse
O1 - Hosts: 172.16.0.227 yt-consultation
O1 - Hosts: 172.16.0.228 yt-miriam
O1 - Hosts: 172.16.0.229 yt-vered
O1 - Hosts: 172.16.0.230 ARD-PSICHOnew
O1 - Hosts: 172.16.0.231 yt-cowshed
O1 - Hosts: 172.16.0.232 yt-cowshed-plc
O1 - Hosts: 172.16.0.233 yt-memco
O1 - Hosts: 172.16.0.234 yt-quality
O1 - Hosts: 172.16.0.235 yt-culture
O1 - Hosts: 172.16.0.237 yt-library
O1 - Hosts: 172.16.0.238 yt-project
O1 - Hosts: 172.16.0.239 yt-elad
O1 - Hosts: 172.16.0.240 yt-dent
O1 - Hosts: 172.16.0.242 yt-adam5000
O1 - Hosts: 172.16.0.243 yt-pension
O1 - Hosts: 172.16.0.244 yt-dishes
O1 - Hosts: 172.16.0.245 yt-nav
O1 - Hosts: 172.16.0.246 yt-dvd
O1 - Hosts: 172.16.0.247 yt-ulpan
O1 - Hosts: 172.16.0.249 yt-watering
O1 - Hosts: 172.16.0.250 yotvata-miznon
O1 - Hosts: 172.16.0.252 yotvata-machleva
O1 - Hosts: 172.16.1.66 ard-welfare1
O1 - Hosts: 172.16.1.154 ard-tourism
O1 - Hosts: 172.17.0.7 ktwest
O1 - Hosts: 172.17.0.99 ketura-fr
O1 - Hosts: 172.17.0.110 ketura-mail
O1 - Hosts: 172.17.0.111 ketura
O1 - Hosts: 172.17.0.111 ketura-nt
O1 - Hosts: 172.17.0.113 textstore-nt
O1 - Hosts: 172.17.0.116 ketura-ts
O1 - Hosts: 172.17.0.117 ketura-ts2
O1 - Hosts: 172.17.0.120 aies-ts3
O1 - Hosts: 172.17.0.121 ketura-office
O1 - Hosts: 172.17.0.215 ketura-garage-gestetner
O1 - Hosts: 172.17.1.254 kkolot-2000
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F1DEF8-35D4-4A20-9C34-884545DFFE41}: NameServer = 192.116.202.99,192.116.202.9,192.114.121.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{C982A830-9003-406F-A899-72CB313260F8}: NameServer = 192.114.121.119,212.117.129.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
Register for free to hide this ad!
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
26-Nov-2006, 02:38 PM #2
first
Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm


Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://zzz.uv.ro/adver.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zzz.uv.ro/adver.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://zzz.uv.ro/adver.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://zzz.uv.ro/adver.html/
F3 - REG:win.ini: run=c:\windows\system32\include\svchost.exe

now Start killbox, paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

[Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

c:\windows\system32\include\

Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

then reboot & tell us how it is
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
26-Nov-2006, 04:10 PM #3
Thank you for such a fast response!
I'm attaching a HJT log. Those entries you pointed out are gone, I disabled the teatimes as you suggested, but the KillBox kept on giving me a file not found message so I did it with HJT itself.
Did I do something wrong?
Now I don't have any strange web page trying to load, and my default home page is stable.
I still can't run URLS from the Run command, of from anywhere else, and the Internet shortcuts I have when clicked give me a application not found, open the "open with" window, and when I select Internet explorer, I get the "application not found" message...

Thank you again. Here is the Log

Log file of HijackThis v1.99.1
Scan saved at 22:57:50, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micro$oft IE
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 3.3.4.99 rotem-fr
O1 - Hosts: 40.1.1.12 mpl-natalie
O1 - Hosts: 40.1.1.13 mpl-alex
O1 - Hosts: 40.1.1.250 mpl-ibm
O1 - Hosts: 20.20.20.27 silver27
O1 - Hosts: 20.20.20.250 silverbyte
O1 - Hosts: 172.16.0.1 yotvata-router
O1 - Hosts: 172.16.0.103 pserver2
O1 - Hosts: 172.16.0.104 yt-pserver4
O1 - Hosts: 172.16.0.105 Yt-pserver5
O1 - Hosts: 172.16.0.106 pserver-binyan1
O1 - Hosts: 172.16.0.107 pserver-binyan2
O1 - Hosts: 172.16.0.112 yotvata-nt
O1 - Hosts: 172.16.0.112 yotvata
O1 - Hosts: 172.16.0.113 yotvata-ts
O1 - Hosts: 172.16.0.114 yotvata-ts2
O1 - Hosts: 172.16.0.117 yotvata-office
O1 - Hosts: 172.16.0.118 yotvata-office2
O1 - Hosts: 172.16.0.119 tourism-office
O1 - Hosts: 172.16.0.120 shaon-psyco
O1 - Hosts: 172.16.0.179 yt-studio
O1 - Hosts: 172.16.0.175 yt-gadash
O1 - Hosts: 172.16.0.177 yt-costs
O1 - Hosts: 172.16.0.180 yt-restaurant
O1 - Hosts: 172.16.0.181 yt-cashier2
O1 - Hosts: 172.16.0.182 yt-cashier1
O1 - Hosts: 172.16.0.183 yt-cashier3
O1 - Hosts: 172.16.0.184 yt-cashier4
O1 - Hosts: 172.16.0.185 yt-cashier5
O1 - Hosts: 172.16.0.186 yt-cashier6
O1 - Hosts: 172.16.0.187 yt-cashier7
O1 - Hosts: 172.16.0.188 yt-cashier8
O1 - Hosts: 172.16.0.190 yt-flight
O1 - Hosts: 172.16.0.191 yt-minimarket1
O1 - Hosts: 172.16.0.192 yt-minimarket2
O1 - Hosts: 172.16.0.193 yt-minimarket3
O1 - Hosts: 172.16.0.195 yotvata-dates
O1 - Hosts: 172.16.0.196 yt-archive
O1 - Hosts: 172.16.0.197 yt-garage
O1 - Hosts: 172.16.0.198 yt-welding
O1 - Hosts: 172.16.0.199 yt-yotitext
O1 - Hosts: 172.16.0.200 yotvata-miznon
O1 - Hosts: 172.16.0.201 yt-gizbar
O1 - Hosts: 172.16.0.202 yt-erez
O1 - Hosts: 172.16.0.203 yt-atzmon
O1 - Hosts: 172.16.0.204 yt-construction
O1 - Hosts: 172.16.0.205 yt-ira
O1 - Hosts: 172.16.0.206 yt-lena
O1 - Hosts: 172.16.0.207 yt-arie
O1 - Hosts: 172.16.0.208 yt-orit
O1 - Hosts: 172.16.0.209 yt-felicia
O1 - Hosts: 172.16.0.210 yt-capon
O1 - Hosts: 172.16.0.211 yt-tirza
O1 - Hosts: 172.16.0.212 yt-sec2
O1 - Hosts: 172.16.0.213 yt-malka
O1 - Hosts: 172.16.0.214 yt-mp
O1 - Hosts: 172.16.0.216 yt-naomi
O1 - Hosts: 172.16.0.217 yt-secretary
O1 - Hosts: 172.16.0.219 yt-services
O1 - Hosts: 172.16.0.220 yt-manager
O1 - Hosts: 172.16.0.221 yt-electricity
O1 - Hosts: 172.16.0.222 yt-economy
O1 - Hosts: 172.16.0.223 yt-clinic
O1 - Hosts: 172.16.0.224 yt-wm
O1 - Hosts: 172.16.0.226 yt-warehouse
O1 - Hosts: 172.16.0.227 yt-consultation
O1 - Hosts: 172.16.0.228 yt-miriam
O1 - Hosts: 172.16.0.229 yt-vered
O1 - Hosts: 172.16.0.230 ARD-PSICHOnew
O1 - Hosts: 172.16.0.231 yt-cowshed
O1 - Hosts: 172.16.0.232 yt-cowshed-plc
O1 - Hosts: 172.16.0.233 yt-memco
O1 - Hosts: 172.16.0.234 yt-quality
O1 - Hosts: 172.16.0.235 yt-culture
O1 - Hosts: 172.16.0.237 yt-library
O1 - Hosts: 172.16.0.238 yt-project
O1 - Hosts: 172.16.0.239 yt-elad
O1 - Hosts: 172.16.0.240 yt-dent
O1 - Hosts: 172.16.0.242 yt-adam5000
O1 - Hosts: 172.16.0.243 yt-pension
O1 - Hosts: 172.16.0.244 yt-dishes
O1 - Hosts: 172.16.0.245 yt-nav
O1 - Hosts: 172.16.0.246 yt-dvd
O1 - Hosts: 172.16.0.247 yt-ulpan
O1 - Hosts: 172.16.0.249 yt-watering
O1 - Hosts: 172.16.0.250 yotvata-miznon
O1 - Hosts: 172.16.0.252 yotvata-machleva
O1 - Hosts: 172.16.1.66 ard-welfare1
O1 - Hosts: 172.16.1.154 ard-tourism
O1 - Hosts: 172.17.0.7 ktwest
O1 - Hosts: 172.17.0.99 ketura-fr
O1 - Hosts: 172.17.0.110 ketura-mail
O1 - Hosts: 172.17.0.111 ketura
O1 - Hosts: 172.17.0.111 ketura-nt
O1 - Hosts: 172.17.0.113 textstore-nt
O1 - Hosts: 172.17.0.116 ketura-ts
O1 - Hosts: 172.17.0.117 ketura-ts2
O1 - Hosts: 172.17.0.120 aies-ts3
O1 - Hosts: 172.17.0.121 ketura-office
O1 - Hosts: 172.17.0.215 ketura-garage-gestetner
O1 - Hosts: 172.17.1.254 kkolot-2000
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F1DEF8-35D4-4A20-9C34-884545DFFE41}: NameServer = 192.116.202.99,192.116.202.9,192.114.121.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{C982A830-9003-406F-A899-72CB313260F8}: NameServer = 192.114.121.119,212.117.129.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
26-Nov-2006, 05:39 PM #4
  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click " Configure Scan Options"
  • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
  • Now Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Reboot back to Normal Mode!
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
27-Nov-2006, 01:36 PM #5
Hi, I followed your advice. Here's the attachment
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
Last edited by dvk01 : 27-Nov-2006 02:31 PM.
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
27-Nov-2006, 02:45 PM #6
you have almost certainly got a backdoor hacker

Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file



C:\WINDOWS\SYSTEM32\msasf.exe
C:\WINDOWS\SYSTEM32\ecesq.dll
C:\WINDOWS\SYSTEM32\bsqt.dll
C:\WINDOWS\SYSTEM32\cpwiuy.dll
C:\WINDOWS\SYSTEM32\t5rdv.dll
C:\WINDOWS\SYSTEM32\t3odm.dll
C:\WINDOWS\system32\include\*.*



then

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

You must use IE for the scan to work

then
download gmer rootkit detector from http://gmer.net/

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press save & post back the log it makes

also select the autostarts tab & do the same there


http://www.gmer.net/catchme.php

Download catchme.exe ( 25kB ) to your desktop.

Double click the catchme.exe to run it

Open catchme.log to see results
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
27-Nov-2006, 05:27 PM #7
Well, the shortcuts are back. Seing as I could access the internet clicking on the IE Icon on my desktop, I used the restore IE default settings from the menu in IE properties, and it did the trick!
I have no idea why the WWW and HTTP shortcuts weren't asociated with IE, if that is what happened.

I run the Karspersky online scan anyway, and it found 3 virus that my AV aparently missed. I run Avast. I'm posting the log for you.

Thank you again and I'll await your advice
sebastian

KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 28, 2006 12:21:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/11/2006
Kaspersky Anti-Virus database records: 232204


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 103512
Number of viruses found 3
Number of infected objects 6 / 0
Number of suspicious objects 0
Duration of the scan process 01:13:21

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\sebas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\sebas\ntuser.dat Object is locked skipped

C:\Documents and Settings\sebas\ntuser.dat.LOG Object is locked skipped

C:\Incomplete\T-872159-Civilization 3.zip/Setup.exe Infected: Worm.Win32.VB.an skipped

C:\Incomplete\T-872159-Civilization 3.zip ZIP: infected - 1 skipped

C:\Program Files\a-squared Free\Quarantine\e6f4b041e5eb8ca7d2512a6c1d9173b1.a2q/Program Files/Boilsoft MOV Converter/run.exe Infected: Trojan-Downloader.Win32.Zlob.aco skipped

C:\Program Files\a-squared Free\Quarantine\e6f4b041e5eb8ca7d2512a6c1d9173b1.a2q ZIP: infected - 1 skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B2114604-1C7B-4137-B80F-538E7B081401}\RP19\A0016731.ini Infected: IRC-Worm.Win32.Tedeto.a skipped

C:\System Volume Information\_restore{B2114604-1C7B-4137-B80F-538E7B081401}\RP19\A0016732.ini Infected: IRC-Worm.Win32.Tedeto.a skipped

C:\System Volume Information\_restore{B2114604-1C7B-4137-B80F-538E7B081401}\RP23\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_28c.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_660.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
27-Nov-2006, 06:28 PM #8
I would still like to examine the files I asked about earlier as they look like they could be new trojans/worms/viruses

this is the only one that Kaspersky found that needs to be dealt with and shows well the dangers of P2P downloads as it is in a P2P download folder
C:\Incomplete\T-872159-Civilization 3.zip

teh others are either in A squared quarantine or in restore points

teh ones in quarantine are fine & safe

Turn off system restore by following instructions here
http://www.thespykiller.co.uk/forum/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

once I see the files I can decide if you need to do anything else
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
28-Nov-2006, 09:15 AM #9
Hi, Followed instructions as for sys restore. D/L GMER, log below, and I'm running kaspersky again after deleting the whole folder. Will post again when completed'
Sebastian
EDIT
---

KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 28, 2006 5:33:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/11/2006
Kaspersky Anti-Virus database records: 232399


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 90707
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 01:07:17

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\sebas\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\History\History.IE5\MSHist012006112820061129\index.dat Object is locked skipped

C:\Documents and Settings\sebas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\sebas\ntuser.dat Object is locked skipped

C:\Documents and Settings\sebas\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\sebas\UserData\index.dat Object is locked skipped

C:\Program Files\a-squared Free\Quarantine\e6f4b041e5eb8ca7d2512a6c1d9173b1.a2q/Program Files/Boilsoft MOV Converter/run.exe Infected: Trojan-Downloader.Win32.Zlob.aco skipped

C:\Program Files\a-squared Free\Quarantine\e6f4b041e5eb8ca7d2512a6c1d9173b1.a2q ZIP: infected - 1 skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped

C:\Program Files\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B2114604-1C7B-4137-B80F-538E7B081401}\RP2\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_7c8.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
Last edited by pons : 28-Nov-2006 10:33 AM.
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
28-Nov-2006, 11:47 AM #10
that all looks ok now

gmer isn't showing anything bad

I just need to examine those files I asked for in post #6 to see if they are good or bad
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
28-Nov-2006, 01:02 PM #11
Pasting results;

Requested file archive from 28/11/2006 19:55:26
Created by Suspicious File Packer 0.2
Copyright © 2004-2005 Safer Networking Limited. All rights reserved.

Requests:
C:\WINDOWS\SYSTEM32\msasf.exe
C:\WINDOWS\SYSTEM32\ecesq.dll
C:\WINDOWS\SYSTEM32\bsqt.dll
C:\WINDOWS\SYSTEM32\cpwiuy.dll
C:\WINDOWS\SYSTEM32\t5rdv.dll
C:\WINDOWS\SYSTEM32\t3odm.dll
C:\WINDOWS\system32\include\*.*

Operations:
+ added: C:\WINDOWS\SYSTEM32\msasf.exe
+ added: C:\WINDOWS\SYSTEM32\ecesq.dll
+ added: C:\WINDOWS\SYSTEM32\bsqt.dll
+ added: C:\WINDOWS\SYSTEM32\cpwiuy.dll
+ added: C:\WINDOWS\SYSTEM32\t5rdv.dll
+ added: C:\WINDOWS\SYSTEM32\t3odm.dll
+ added: C:\WINDOWS\system32\include\aliases.ini
+ added: C:\WINDOWS\system32\include\away.txt
+ added: C:\WINDOWS\system32\include\badwords.txt
+ added: C:\WINDOWS\system32\include\control.ini
+ added: C:\WINDOWS\system32\include\dialogs.ini
+ added: C:\WINDOWS\system32\include\engine.ini
+ added: C:\WINDOWS\system32\include\flooding.txt
+ added: C:\WINDOWS\system32\include\fullname.txt
+ added: C:\WINDOWS\system32\include\injuraturi.txt
+ added: C:\WINDOWS\system32\include\IRC.ICO
+ added: C:\WINDOWS\system32\include\mirc.ini
+ added: C:\WINDOWS\system32\include\nick.txt
+ added: C:\WINDOWS\system32\include\nopopup.reg
+ added: C:\WINDOWS\system32\include\online.ini
+ added: C:\WINDOWS\system32\include\operator.ini
+ added: C:\WINDOWS\system32\include\perform.ini
+ added: C:\WINDOWS\system32\include\popups.ini
+ added: C:\WINDOWS\system32\include\remote.ini
+ added: C:\WINDOWS\system32\include\servers.ini
+ added: C:\WINDOWS\system32\include\setup.exe
+ added: C:\WINDOWS\system32\include\svchost.exe
+ added: C:\WINDOWS\system32\include\X.bat
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
28-Nov-2006, 01:52 PM #12
yes but I need you to upload the zip file containing all that to
http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
pons's Avatar
Senior Member with 358 posts.
  
Join Date: Nov 2001
Location: israel
28-Nov-2006, 02:56 PM #13
They are there already.
Again thank you
sebastian pons
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
28-Nov-2006, 04:56 PM #14
The include folder is a backdoor mirc trojan

I'm not 100% sure about the others but they don't appear to be what they pretend to be but I am getting them fully analysed and will let you know as soon as I get the results


now we need to delete the include folder & all it's evil contents

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:
Folders to delete:
C:\WINDOWS\system32\include

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
dvk01's Avatar
Moderator with 28,649 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
28-Nov-2006, 05:24 PM #15
all the others do appear to be video related files so are probably harmless but after I get a full analysis I will let you know if they turn out bad at all so I will leave them for now
Closed Thread Bookmark and Share   techguy.org/521514
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 12:31 PM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.