1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

How To Remove Process System.exe

Discussion in 'Virus & Other Malware Removal' started by sgeva2001, Mar 17, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    I remove the process and it keep coming back.
    I think it is virus or alike.
     
  2. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    What location is it in?

    Click here to download HJTsetup.exe: http://www.thespykiller.co.uk/files/HJTSetup.exe
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    I do not know its location.
    I see it at task manager processes.

    Logfile of HijackThis v1.99.1
    Scan saved at 20:30:47, on 17/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    F:\Programs\Norton Antivirus\navapsvc.exe
    F:\Programs\NORTON~3\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    F:\Programs\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\StartupMonitor.exe
    F:\Programs\ZoneAlarm\zapro.exe
    F:\Programs\PALM\AlarmApp.exe
    F:\Program Files\AutoHotkey\My_srcipts\My_key.exe
    F:\Programs\PALM\HOTSYNC.EXE
    F:\Program Files\FIREFOX\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    F:\Program Files\Registry Booster\RegistryBooster.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\StartupMonitor.exe
    F:\Programs\ZoneAlarm\zapro.exe
    G:\Program Files\Miranda IM\miranda32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Programs\NORTON~2\Navw32.exe
    F:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = יום נהדר
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programs\ADOBE\ActiveX\AcroIEHelper.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Programs\Spybot\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Programs\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Programs\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PALM.lnk = F:\Programs\PALM\AlarmApp.exe
    O4 - Startup: My_key.lnk = F:\Program Files\AutoHotkey\My_srcipts\My_key.exe
    O4 - Startup: HotSync Manager.LNK = F:\Programs\PALM\HOTSYNC.EXE
    O4 - Startup: AcctMgr.lnk = ?
    O4 - Global Startup: ZoneAlarm Pro.lnk = ?
    O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
    O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-shaul.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Programs\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Handle with &Hot Keyboard - F:\Programs\Hot_Key\IEScript.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Programs\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (no file)
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (no file)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-shaul.html (HKCU)
    O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-shaul.html (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://wsbd2.072.012.net/commpilot/customcontrols/BwOutlook.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142333516750
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
    O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Programs\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Programs\NORTON~3\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - F:\Programs\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
     
  4. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    Click here to download the trial version of Ewido Security Suite:
    http://www.ewido.net/en/download/

    · Install Ewido.
    · During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    · Launch ewido.
    · It will prompt you to update click the OK button and it will go to the main screen.
    · On the left side of the main screen click update.
    · Click on Start and let it update.
    · DO NOT run a scan yet.

    Restart your computer into Safe Mode now.
    (Start tapping the F8 key at Startup, before the Windows logo screen).
    Perform the following steps in Safe Mode:

    * Run Ewido:
    Click on scanner
    Click Complete System Scan and the scan will begin.
    During the scan it will prompt you to clean files, click OK.
    When the scan is finished, look at the bottom of the screen and click the Save report button.
    Save the report to your desktop.

    Reboot.

    Post a new Hijack This log and the results of the Ewido scan.
     
  5. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    I update and run today (before 12 hou)r the Ewido in safe mode.
    I give it ok for removing what it find.
    to run it again in safe mode or I can find the log from the past?
     
  6. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    I don't think a log from the past will do much good. You need to run it again please. :)
     
  7. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    In safe mode?
     
  8. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
  9. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    Logfile of HijackThis v1.99.1
    Scan saved at 22:51:51, on 17/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    F:\Programs\Norton Antivirus\navapsvc.exe
    F:\Programs\NORTON~3\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\Messenger\msmsgs.exe
    F:\Programs\ZoneAlarm\zapro.exe
    F:\Programs\PALM\AlarmApp.exe
    F:\Program Files\AutoHotkey\My_srcipts\My_key.exe
    F:\Programs\PALM\HOTSYNC.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    F:\Programs\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\system32\wuauclt.exe
    F:\Program Files\FIREFOX\firefox.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    F:\Program Files\HIJACKTHIS\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = יום נהדר
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programs\ADOBE\ActiveX\AcroIEHelper.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Programs\Spybot\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Programs\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Programs\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PALM.lnk = F:\Programs\PALM\AlarmApp.exe
    O4 - Startup: My_key.lnk = F:\Program Files\AutoHotkey\My_srcipts\My_key.exe
    O4 - Startup: HotSync Manager.LNK = F:\Programs\PALM\HOTSYNC.EXE
    O4 - Startup: AcctMgr.lnk = ?
    O4 - Global Startup: ZoneAlarm Pro.lnk = ?
    O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
    O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-shaul.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Programs\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Handle with &Hot Keyboard - F:\Programs\Hot_Key\IEScript.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Programs\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (no file)
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (no file)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-shaul.html (HKCU)
    O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-shaul.html (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://wsbd2.072.012.net/commpilot/customcontrols/BwOutlook.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142333516750
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
    O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Programs\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Programs\NORTON~3\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - F:\Programs\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

    AND THE FILE LOG OF Ewido :

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 22:41:48, 17/03/2006
    + Report-Checksum: EA517080

    + Scan result:

    :mozilla.12:C:\Documents and Settings\Shaul\Application

    Data\Mozilla\Firefox\Profiles\fl615dgx.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned

    with backup
    :mozilla.18:C:\Documents and Settings\Shaul\Application

    Data\Mozilla\Firefox\Profiles\fl615dgx.default\cookies.txt -> TrackingCookie.Com : Cleaned with

    backup
    :mozilla.12:C:\Recycled\NPROTECT\00432107.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00432107.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.12:C:\Recycled\NPROTECT\00432111.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00432111.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432113.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00432113.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.12:C:\Recycled\NPROTECT\00432117.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00432117.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00431484.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.8:C:\Recycled\NPROTECT\00431485.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.8:C:\Recycled\NPROTECT\00431486.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.8:C:\Recycled\NPROTECT\00431521.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.8:C:\Recycled\NPROTECT\00431530.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.11:C:\Recycled\NPROTECT\00431251.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.15:C:\Recycled\NPROTECT\00431251.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.12:C:\Recycled\NPROTECT\00431253.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.16:C:\Recycled\NPROTECT\00431253.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.7:C:\Recycled\NPROTECT\00431256.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.16:C:\Recycled\NPROTECT\00431256.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.6:C:\Recycled\NPROTECT\00431258.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.16:C:\Recycled\NPROTECT\00431258.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.8:C:\Recycled\NPROTECT\00431259.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.19:C:\Recycled\NPROTECT\00431259.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.9:C:\Recycled\NPROTECT\00431261.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.20:C:\Recycled\NPROTECT\00431261.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.11:C:\Recycled\NPROTECT\00431262.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.22:C:\Recycled\NPROTECT\00431262.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.11:C:\Recycled\NPROTECT\00431263.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.22:C:\Recycled\NPROTECT\00431263.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.11:C:\Recycled\NPROTECT\00431264.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.22:C:\Recycled\NPROTECT\00431264.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.11:C:\Recycled\NPROTECT\00431269.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.22:C:\Recycled\NPROTECT\00431269.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.12:C:\Recycled\NPROTECT\00431270.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.22:C:\Recycled\NPROTECT\00431270.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00431271.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.25:C:\Recycled\NPROTECT\00431271.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431272.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431272.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431273.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431273.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431274.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431274.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431275.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431275.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431276.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431276.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431277.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431277.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431278.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431278.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431279.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431279.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431280.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431280.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431281.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431281.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431282.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431282.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431283.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431283.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431284.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431284.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431285.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431285.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431286.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431286.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431287.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431287.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431288.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431288.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00431290.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431290.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.19:C:\Recycled\NPROTECT\00431291.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.27:C:\Recycled\NPROTECT\00431291.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.19:C:\Recycled\NPROTECT\00431292.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.27:C:\Recycled\NPROTECT\00431292.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.19:C:\Recycled\NPROTECT\00431293.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.27:C:\Recycled\NPROTECT\00431293.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.23:C:\Recycled\NPROTECT\00431294.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.31:C:\Recycled\NPROTECT\00431294.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.26:C:\Recycled\NPROTECT\00431295.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.34:C:\Recycled\NPROTECT\00431295.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.27:C:\Recycled\NPROTECT\00431305.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.35:C:\Recycled\NPROTECT\00431305.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.27:C:\Recycled\NPROTECT\00431306.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.35:C:\Recycled\NPROTECT\00431306.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.6:C:\Recycled\NPROTECT\00431307.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.35:C:\Recycled\NPROTECT\00431307.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.6:C:\Recycled\NPROTECT\00431312.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.35:C:\Recycled\NPROTECT\00431312.MOZ -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.6:C:\Recycled\NPROTECT\00431329.txt -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.35:C:\Recycled\NPROTECT\00431329.txt -> TrackingCookie.Casalemedia :

    Cleaned with backup
    :mozilla.8:C:\Recycled\NPROTECT\00431998.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.9:C:\Recycled\NPROTECT\00431999.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.8:C:\Recycled\NPROTECT\00432003.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.12:C:\Recycled\NPROTECT\00432003.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432005.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.12:C:\Recycled\NPROTECT\00432005.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.10:C:\Recycled\NPROTECT\00432007.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.14:C:\Recycled\NPROTECT\00432007.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.10:C:\Recycled\NPROTECT\00432008.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.14:C:\Recycled\NPROTECT\00432008.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432009.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432009.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.11:C:\Recycled\NPROTECT\00432011.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432011.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432013.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432013.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.11:C:\Recycled\NPROTECT\00432014.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432014.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.11:C:\Recycled\NPROTECT\00432015.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432015.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432016.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432016.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.11:C:\Recycled\NPROTECT\00432018.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432018.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432021.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432021.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432022.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432022.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.11:C:\Recycled\NPROTECT\00432052.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432052.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432060.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432060.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432061.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432061.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.6:C:\Recycled\NPROTECT\00432073.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.17:C:\Recycled\NPROTECT\00432073.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.14:C:\Recycled\NPROTECT\00432078.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00432078.MOZ -> TrackingCookie.Com : Cleaned

    with backup
    :mozilla.12:C:\Recycled\NPROTECT\00432102.MOZ -> TrackingCookie.Statcounter :

    Cleaned with backup
    :mozilla.18:C:\Recycled\NPROTECT\00432102.MOZ -> TrackingCookie.Com : Cleaned

    with backup


    ::Report End
     
  10. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)

    O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN

    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (no file)

    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (no file)


    Reboot, post a new log.
     
  11. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    Logfile of HijackThis v1.99.1
    Scan saved at 09:38:41, on 18/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    F:\Programs\Norton Antivirus\navapsvc.exe
    F:\Programs\NORTON~3\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    F:\Programs\ZoneAlarm\zapro.exe
    F:\Programs\PALM\AlarmApp.exe
    F:\Program Files\AutoHotkey\My_srcipts\My_key.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    F:\Programs\PALM\HOTSYNC.EXE
    C:\WINDOWS\system32\wuauclt.exe
    F:\Programs\Norton Antivirus\SAVScan.exe
    F:\Program Files\FIREFOX\firefox.exe
    F:\Program Files\HIJACKTHIS\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = יום נהדר
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programs\ADOBE\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Programs\Spybot\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Programs\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Programs\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PALM.lnk = F:\Programs\PALM\AlarmApp.exe
    O4 - Startup: My_key.lnk = F:\Program Files\AutoHotkey\My_srcipts\My_key.exe
    O4 - Startup: HotSync Manager.LNK = F:\Programs\PALM\HOTSYNC.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = ?
    O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-shaul.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Programs\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Handle with &Hot Keyboard - F:\Programs\Hot_Key\IEScript.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Programs\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-shaul.html (HKCU)
    O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-shaul.html (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://wsbd2.072.012.net/commpilot/customcontrols/BwOutlook.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142333516750
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
    O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\{55D8422E-7CD3-4285-B39F-608A5A4EBAD7}: NameServer = 84.95.14.250,212.116.161.38
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Programs\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Programs\NORTON~3\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - F:\Programs\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
     
  12. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    How are things now?
     
  13. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    The same. The process SYSTEM is still running.
     
  14. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    It doesn't show in the HJT log as a running process. Kinda weird.

    Please RIGHT-CLICK HERE to download Silent Runner's.
    • Save it to the desktop.
    • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
    • You will receive a prompt:
      • Do you want to skip supplementary searches?
        click NO
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
    *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
     
  15. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    ".vbs", revision 44, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
    "QD FastAndSafe" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
    "Run StartupMonitor" = "StartupMonitor.exe" [null data]
    "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "F:\Programs\ADOBE\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "F:\Programs\Spybot\SDHelper.dll" ["Safer Networking Limited"]
    {A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "IeCatch2 Class"
    \InProcServer32\(Default) = "G:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]
    {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "CNavExtBho Class"
    \InProcServer32\(Default) = "F:\Programs\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{9493BF10-6A0A-11D3-AFB2-00C06C397814}" = "Hot Keyboard"
    -> {HKLM...CLSID} = "HotKeyboard_ShellEx"
    \InProcServer32\(Default) = "F:\Programs\Hot_Key\HkShExt.dll" ["TB Labs"]
    "{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
    -> {HKLM...CLSID} = "eLicense Control"
    \InProcServer32\(Default) = "C:\WINDOWS\lcmmfu.cpl" [null data]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
    -> {HKLM...CLSID} = "Universal Plug and Play Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
    "{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
    -> {HKLM...CLSID} = "IZArc DragDrop Menu"
    \InProcServer32\(Default) = "F:\Programs\IZArc\IZArcCM.dll" [null data]
    "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
    -> {HKLM...CLSID} = "IZArc Shell Context Menu"
    \InProcServer32\(Default) = "F:\Programs\IZArc\IZArcCM.dll" [null data]
    "{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
    "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
    -> {HKLM...CLSID} = "WinAceContext Menu Extension"
    \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
    -> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
    \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
    -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
    \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
    -> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
    \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
    "{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"
    -> {HKLM...CLSID} = "aol"
    \InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data]
    "{8D1636FD-CA49-4b4e-90E4-0A20E03A15E8}" = "jetAudio"
    -> {HKLM...CLSID} = "JetFlExt"
    \InProcServer32\(Default) = "F:\Programs\JetFlExt.dll" ["JetAudio, Inc."]
    "{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
    -> {HKLM...CLSID} = "PropPage Class"
    \InProcServer32\(Default) = "F:\Programs\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "F:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {HKLM...CLSID} = "Portable Media Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{475A9681-F01B-11d5-BC5E-0050CE184C9B}" = "CrimsonEditor.ShellExt"
    -> {HKLM...CLSID} = "CrimsonEditor.ShellExt"
    \InProcServer32\(Default) = "F:\Program Files\Crimson\Crimson Editor\ShellExt.dll" [null data]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {HKLM...CLSID} = "Shell Search Band"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "F:\Programs\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
    -> {HKLM...CLSID} = "iTunes"
    \InProcServer32\(Default) = "F:\Program Files\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
    -> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
    \InProcServer32\(Default) = "F:\Program Files\shellextension.dll" [MS]
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "F:\Programs\EWIDO security suite\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\System\CurrentControlSet\Control\Session Manager\
    INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
    INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "F:\Programs\ADOBE\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {HKLM...CLSID} = "Ctest Object"
    \InProcServer32\(Default) = "F:\Programs\EWIDO security suite\context.dll" ["ewido networks"]
    HotKeyboard\(Default) = "{9493BF10-6A0A-11D3-AFB2-00C06C397814}"
    -> {HKLM...CLSID} = "HotKeyboard_ShellEx"
    \InProcServer32\(Default) = "F:\Programs\Hot_Key\HkShExt.dll" ["TB Labs"]
    IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
    -> {HKLM...CLSID} = "IZArc Shell Context Menu"
    \InProcServer32\(Default) = "F:\Programs\IZArc\IZArcCM.dll" [null data]
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
    -> {HKLM...CLSID} = "IEContextMenu Class"
    \InProcServer32\(Default) = "F:\Programs\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {HKLM...CLSID} = "Ctest Object"
    \InProcServer32\(Default) = "F:\Programs\EWIDO security suite\context.dll" ["ewido networks"]
    IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
    -> {HKLM...CLSID} = "IZArc Shell Context Menu"
    \InProcServer32\(Default) = "F:\Programs\IZArc\IZArcCM.dll" [null data]
    jetAudio\(Default) = "{8D1636FD-CA49-4b4e-90E4-0A20E03A15E8}"
    -> {HKLM...CLSID} = "JetFlExt"
    \InProcServer32\(Default) = "F:\Programs\JetFlExt.dll" ["JetAudio, Inc."]
    ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
    -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
    \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    HotKeyboard\(Default) = "{9493BF10-6A0A-11D3-AFB2-00C06C397814}"
    -> {HKLM...CLSID} = "HotKeyboard_ShellEx"
    \InProcServer32\(Default) = "F:\Programs\Hot_Key\HkShExt.dll" ["TB Labs"]
    jetAudio\(Default) = "{8D1636FD-CA49-4b4e-90E4-0A20E03A15E8}"
    -> {HKLM...CLSID} = "JetFlExt"
    \InProcServer32\(Default) = "F:\Programs\JetFlExt.dll" ["JetAudio, Inc."]
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
    -> {HKLM...CLSID} = "IEContextMenu Class"
    \InProcServer32\(Default) = "F:\Programs\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is enabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\

    HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


    Startup items in "Shaul" & "All Users" startup folders:
    -------------------------------------------------------

    C:\Documents and Settings\Shaul\Start Menu\Programs\Startup
    "PALM" -> shortcut to: "F:\Programs\PALM\AlarmApp.exe" ["Palm, Inc."]
    "My_key" -> shortcut to: "F:\Program Files\AutoHotkey\My_srcipts\My_key.exe" [null data]
    "HotSync Manager" -> shortcut to: "F:\Programs\PALM\HOTSYNC.EXE" ["Palm, Inc."]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "ZoneAlarm Pro" -> shortcut to: "F:\Programs\ZoneAlarm\zapro.exe -nopopup" ["Zone Labs Inc."]


    Enabled Scheduled Tasks:
    ------------------------

    "Norton SystemWorks One Button Checkup" -> launches: "F:\Programs\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
    "Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
    "Norton AntiVirus - Scan my computer" -> launches: "F:\Programs\NORTON~2\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
    "Norton AntiVirus - Scan my computer - Shaul" -> launches: "F:\Programs\NORTON~2\NAVW32.EXE /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
    "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDetect.exe" [file not found]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    F:\Programs\NetLimiter\nl_lsp.dll [null data], 01 - 05, 21
    %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20
    %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
    -> {HKLM...CLSID} = "Norton AntiVirus"
    \InProcServer32\(Default) = "F:\Programs\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
    -> {HKLM...CLSID} = "Norton AntiVirus"
    \InProcServer32\(Default) = "F:\Programs\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"
    -> {HKLM...CLSID} = "FlashGet Bar"
    \InProcServer32\(Default) = "G:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
    -> {HKLM...CLSID} = "Norton AntiVirus"
    \InProcServer32\(Default) = "F:\Programs\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]
    "{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
    -> {HKLM...CLSID} = "Easy-WebPrint"
    \InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKCU\Software\Microsoft\Internet Explorer\Extensions\
    {1CB13C88-96B6-11D6-9AF5-D12D26EE1F36}\
    "ButtonText" = "AccountLogon"
    "MenuText" = "AccountLogon"
    "Script" = "C:\WINDOWS\al-popup-shaul.html" [null data]

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_01"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "&#1502;&#1495;&#1511;&#1512;"

    {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
    "ButtonText" = "FlashGet"
    "MenuText" = "&FlashGet"
    "Exec" = "G:\PROGRA~1\FLASHGET\flashget.exe" ["Amaze Soft"]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
    LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]
    Norton AntiVirus Auto Protect Service, navapsvc, ""F:\Programs\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
    Norton Unerase Protection, NProtectService, "F:\Programs\NORTON~3\NPROTECT.EXE" ["Symantec Corporation"]
    RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
    SAVScan, SAVScan, "F:\Programs\Norton Antivirus\SAVScan.exe" ["Symantec Corporation"]
    Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
    Speed Disk service, Speed Disk service, "F:\Programs\NORTON~3\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
    Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
    Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
    Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
    Symantec Password Validation, ccPwdSvc, ""C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"]
    Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
    SymWMI Service, SymWSC, "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZONELABS\vsmon.exe -service" ["Zone Labs Inc."]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
    Canon BJ Language Monitor PIXMA iP1500\Driver = "CNMLM5y.DLL" ["CANON INC."]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ---------- (total run time: 47 seconds, including 18 seconds for message boxes)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/450559