Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help, i think my computer is infected...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help, i think my computer is infected...

Unread postby radzy » June 2nd, 2010, 12:46 pm

Description of the problem: my computer was attacked by a rootkit last week. i use vista home basic with sp2 and my norton 2009 av detected it.
since then i ran every antimalware software i could find and some of them detected and claimed to have removed the infected files.
however, my computer is still very slow, and once in several days norton AV finds an infected file with Hacktool.Rootkit, usually accompanied by Trojan.Gen.
i don't know if it has to do with this, but when i try to use system restore in order to return my computer to the last known to work configuration, it tries to restore it, but after reboot it gives me an error saying that system restore failed and my configurations didn't change.
some of the anti malware programes found the file: c:\windows\system32\drivers\lpypwb.sys as malware but it seems to me that they couldn't fix it...

here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:22:50, on 02/06/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Lexmark סרגל כלים - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - (no file)
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\PROGRA~1\agat\AGForm\AGFORM~1.DLL
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\system32\PxSecure.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Lexmark - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: Lexmark סרגל כלים - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\aelupsvc.dll,-1 (AeLookupSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30011 (AppHostSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\appinfo.dll,-100 (Appinfo) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\audiosrv.dll,-204 (AudioEndpointBuilder) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\audiosrv.dll,-200 (Audiosrv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\bfe.dll,-1001 (BFE) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\qmgr.dll,-1000 (BITS) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\browser.dll,-100 (Browser) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\certprop.dll,-11 (CertPropSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\cryptsvc.dll,-1001 (CryptSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: @oleres.dll,-5012 (DcomLaunch) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe
O23 - Service: @%SystemRoot%\system32\dhcpcsvc.dll,-100 (Dhcp) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\dnsapi.dll,-101 (Dnscache) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\dot3svc.dll,-1102 (dot3svc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\dps.dll,-500 (DPS) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\eapsvc.dll,-1 (EapHost) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\emdmgmt.dll,-1000 (EMDMgmt) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wevtsvc.dll,-200 (Eventlog) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @comres.dll,-2450 (EventSystem) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\fdPHost.dll,-100 (fdPHost) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\fdrespub.dll,-100 (FDResPub) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\FntCache.dll,-100 (FontCache) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
O23 - Service: @%SystemRoot%\System32\hidserv.dll,-101 (hidserv) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\kmsvc.dll,-6 (hkmsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\ikeext.dll,-501 (IKEEXT) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\IPBusEnum.dll,-102 (IPBusEnum) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\iphlpsvc.dll,-200 (iphlpsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: @comres.dll,-2946 (KtmRm) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\srvsvc.dll,-100 (LanmanServer) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\wkssvc.dll,-100 (LanmanWorkstation) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\lltdres.dll,-1 (lltdsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\lmhsvc.dll,-101 (lmhosts) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: @%systemroot%\system32\mmcss.dll,-100 (MMCSS) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\FirewallAPI.dll,-23090 (MpsSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\iscsidsc.dll,-5000 (MSiSCSI) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\msimsg.dll,-27 (msiserver) - Unknown owner - C:\Windows\system32\msiexec.exe
O23 - Service: @%SystemRoot%\system32\qagentrt.dll,-6 (napagent) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: @%SystemRoot%\system32\netman.dll,-109 (Netman) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\netprof.dll,-246 (netprofm) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\nlasvc.dll,-1 (NlaSvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: @%SystemRoot%\system32\nsisvc.dll,-200 (nsi) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%SystemRoot%\system32\p2psvc.dll,-8004 (p2pimsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\p2psvc.dll,-8006 (p2psvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\pcasvc.dll,-1 (PcaSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\pla.dll,-500 (pla) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\umpnpmgr.dll,-100 (PlugPlay) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\p2psvc.dll,-8002 (PNRPAutoReg) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\p2psvc.dll,-8000 (PNRPsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\polstore.dll,-5010 (PolicyAgent) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\profsvc.dll,-300 (ProfSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\rasauto.dll,-200 (RasAuto) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\rasmans.dll,-200 (RasMan) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @regsvc.dll,-1 (RemoteRegistry) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe
O23 - Service: @oleres.dll,-5010 (RpcSs) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: @%SystemRoot%\System32\SCardSvr.dll,-1 (SCardSvr) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\schedsvc.dll,-100 (Schedule) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\certprop.dll,-13 (SCPolicySvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\sdrsvc.dll,-107 (SDRSVC) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\Sens.dll,-200 (SENS) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\SessEnv.dll,-1026 (SessionEnv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\shsvcs.dll,-12288 (ShellHWDetection) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe
O23 - Service: @%SystemRoot%\system32\SLUINotify.dll,-103 (SLUINotify) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe
O23 - Service: @%systemroot%\system32\ssdpsrv.dll,-100 (SSDPSRV) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\sstpsvc.dll,-200 (SstpSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wiaservc.dll,-9 (stisvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\swprv.dll,-103 (swprv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\sysmain.dll,-1000 (SysMain) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\TabSvc.dll,-100 (TabletInputService) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\tapisrv.dll,-10100 (TapiSrv) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\tbssvc.dll,-100 (TBS) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\termsrv.dll,-268 (TermService) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\shsvcs.dll,-8192 (Themes) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\mmcss.dll,-102 (THREADORDER) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\trkwks.dll,-1 (TrkWks) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\servicing\TrustedInstaller.exe,-100 (TrustedInstaller) - Unknown owner - C:\Windows\servicing\TrustedInstaller.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe
O23 - Service: @%systemroot%\system32\upnphost.dll,-213 (upnphost) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\dwm.exe,-2000 (UxSms) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe
O23 - Service: @%SystemRoot%\system32\w32time.dll,-200 (W32Time) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wcncsvc.dll,-3 (wcncsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\WcsPlugInService.dll,-200 (WcsPlugInService) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%systemroot%\system32\wdi.dll,-502 (WdiServiceHost) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\wdi.dll,-500 (WdiSystemHost) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\webclnt.dll,-100 (WebClient) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wecsvc.dll,-200 (Wecsvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wercplsupport.dll,-101 (wercplsupport) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wersvc.dll,-100 (WerSvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103 (WinDefend) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\system32\winhttp.dll,-100 (WinHttpAutoProxySvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\wbem\wmisvc.dll,-205 (Winmgmt) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%Systemroot%\system32\wsmsvc.dll,-101 (WinRM) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%SystemRoot%\System32\wlansvc.dll,-257 (Wlansvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\wmpnetwk.exe
O23 - Service: @%SystemRoot%\system32\wpcsvc.dll,-100 (WPCSvc) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wpdbusenum.dll,-100 (WPDBusEnum) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\Windows\System32\svchost.exe
O23 - Service: @%systemroot%\system32\SearchIndexer.exe,-103 (WSearch) - Unknown owner - C:\Windows\system32\SearchIndexer.exe
O23 - Service: @%systemroot%\system32\wuaueng.dll,-105 (wuauserv) - Unknown owner - C:\Windows\system32\svchost.exe
O23 - Service: @%SystemRoot%\system32\wudfsvc.dll,-1000 (wudfsvc) - Unknown owner - C:\Windows\system32\svchost.exe

--
End of file - 18524 bytes


and here is my uninstall list:

Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
Advertising Center
DolbyFiles
Download Accelerator Plus (DAP)
E-GOV.IL Sign&Verify Software - AGForm toolbar
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
K-Lite Codec Pack 4.9.5 (Full)
Lexmark
Lexmark 5600-6600 Series
Lexmark Tools for Office
Lexmark סרגל כלים
Ligature
Magic ISO Maker v5.5 (build 0276)
Menu Templates - Starter Kit
Microsoft .NET Framework 3.5 Language Pack SP1 - heb
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero Disc Copy Gadget
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
neroxml
Norton AntiVirus
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
OJOsoft Total Video Converter
Picasa 3
Prevx
PVSonyDll
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
SoundTrax
Subtitle Workshop 2.51
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinDjView 1.0.3
WinRAR archiver
ערכת שפה של Microsoft .NET Framework 3.5 SP1 - heb



Thank you in advance!
radzy
Active Member
 
Posts: 7
Joined: June 2nd, 2010, 12:31 pm
Advertisement
Register to Remove

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 6th, 2010, 9:41 am

Shalom and Welcome to the forum radzy.
My name is Elrond, and I'll be helping you with any malware problems.
As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.
The logs I request These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.


Before we begin...please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. DO NOT run any other fix or removal tools unless instructed to do so!
  3. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched and can make the cleanup more dificult..
  4. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  5. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  6. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"
    REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default)
    Also note that multiple identity PC's (family PC's) present a different problem; please tell me if your PC has more than one individual's setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
  • Please Note:
    In Vista and Windows 7 you hopefully are not running as administrator and therefore will need to get into Administrator Mode by... Right clicking the program file & selecting: Run as Administrator.
    Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
    When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.


Please note that I will be off line for about 26 hours (sundown Friday until nightfall Saturday my local time) every week.


End of preliminaries. What follows is related to analyzing what is on your computer and cleaning it up.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



OTL
Please download OTL ... by Old Timer . Save it to your Desktop.
  1. Right click on OTL.exe select "Run As Administrator" to run it. If prompted by UAC, please allow it.
  2. Under Output, ensure that Minimal Output is selected.
  3. Click the Scan All Users checkbox.
    Leave the remaining selections to the default settings.
  4. Click on Run Scan at the top left hand corner.
  5. When done, two Notepad files will open.
    • OTListIt.txt <-- Will be opened, maximized
    • Extras.txt <-- Will be minimized on task bar.
  6. Please post the contents of both OTListIt.txt and Extras.txt files in your next reply.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Please download GMER Rootkit Scanner from Here.
  • Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it
    Image

  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logs/Information to Post in your Next Reply

  • OTListIt.txt
  • Extras.txt
  • The GMER log
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help, i think my computer is infected...

Unread postby radzy » June 6th, 2010, 1:08 pm

Shalom and thank you Elrond!
It is very kind of you to try and help me and i'm fully sure that you will succeed!

Since my last post I noticed that my computer isn't acting so slowly.
However, my norton antivirus found more viruses, this time called "W32.Pilleuz" and claimed to have removed them...

I'm now posting the logs that you requested. I have the two logs of OTL, but Gmer failed to complete the scan. The program stops responding and windows closes it...

The first file is OTL.txt (i ran it twice but wasn't the file supposed to be called OTListIt.txt?):

OTL logfile created on: 06/06/2010 20:04:22 - Run 2
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\owner\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 0000040d | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 375.94 Gb Free Space | 80.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ORIVENITZAN
Current User Name: owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\System32\msfeedssync.exe (Microsoft Corporation)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
PRC - C:\Windows\System32\lxducoms.exe ( )
PRC - C:\Windows\System32\spool\drivers\w32x86\3\lxduserv.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\hasplms.exe (Aladdin Knowledge Systems Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Users\owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (CSIScanner) -- C:\Program Files\Prevx\prevx.exe (Prevx)
SRV - (lxdu_device) -- C:\Windows\System32\lxducoms.exe ( )
SRV - (lxduCATSCustConnectService) -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe ()
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (Norton AntiVirus) -- C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe (Symantec Corporation)
SRV - (WAS) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\System32\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (hasplms) -- C:\Windows\System32\hasplms.exe (Aladdin Knowledge Systems Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (pxrts) -- C:\Windows\System32\drivers\pxrts.sys (Prevx)
DRV - (pxscan) -- C:\Windows\System32\drivers\pxscan.sys (Prevx)
DRV - (pxkbf) -- C:\Windows\System32\drivers\pxkbf.sys (Prevx)
DRV - (IDSVix86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100528.003\IDSvix86.sys (Symantec Corporation)
DRV - (lpypwb) -- C:\Windows\System32\drivers\lpypwb.sys ()
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100606.003\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100606.003\NAVENG.SYS (Symantec Corporation)
DRV - (ccHP) -- C:\Windows\System32\Drivers\NAV\1008000.029\ccHPx86.sys (Symantec Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (SymEFA) -- C:\Windows\system32\drivers\NAV\1008000.029\SYMEFA.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\Windows\System32\Drivers\NAV\1008000.029\SRTSP.SYS (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Windows\System32\Drivers\NAV\1008000.029\BHDrvx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\Windows\System32\Drivers\NAV\1008000.029\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMFW) -- C:\Windows\System32\Drivers\NAV\1008000.029\SYMFW.SYS (Symantec Corporation)
DRV - (SYMNDISV) -- C:\Windows\System32\Drivers\NAV\1008000.029\SYMNDISV.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\system32\drivers\NAV\1008000.029\SRTSPX.SYS (Symantec Corporation)
DRV - (SymIM) -- C:\Windows\System32\drivers\SymIMV.sys (Symantec Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (aksfridge) -- C:\Windows\system32\drivers\aksfridge.sys (Aladdin Knowledge Systems Ltd.)
DRV - (Hardlock) -- C:\Windows\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/06/02 19:14:59 | 000,000,806 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Lexmark סרגל כלים) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - No CLSID value found.
O2 - BHO: (AGFormHelperObj Class) - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\Program Files\agat\AGForm\AGFormsHelper.dll (Agat)
O2 - BHO: (SafeOnline BHO) - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\System32\PxSecure.dll (Prevx)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Lexmark ) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)
O3 - HKLM\..\Toolbar: (Lexmark סרגל כלים) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (AGForms) - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll (Agat)
O3 - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\..\Toolbar\ShellBrowser: (Lexmark סרגל כלים) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000\..\Toolbar\WebBrowser: (Lexmark סרגל כלים) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2186487272-3208527863-4151074708-1000..\Run: [DownloadAccelerator] C:\Program Files\DAP\DAP.EXE (SpeedBit Ltd.)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.117.235.235 62.219.186.7
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\owner\AppData\Roaming\Microsoft\Windows Photo Gallery\טפט גלריית התמונות של Windows.jpg
O24 - Desktop BackupWallPaper: C:\Users\owner\AppData\Roaming\Microsoft\Windows Photo Gallery\טפט גלריית התמונות של Windows.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 00:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/06 19:27:24 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2010/06/03 19:46:57 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Local\Apps
[2010/06/02 19:16:30 | 000,061,952 | ---- | C] (Prevx) -- C:\Windows\System32\PxSecure.dll
[2010/06/02 19:16:29 | 000,061,624 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxrts.sys
[2010/06/02 19:16:29 | 000,030,320 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxscan.sys
[2010/06/02 19:16:26 | 000,024,400 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxkbf.sys
[2010/06/02 19:16:25 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx
[2010/06/02 19:16:07 | 000,000,000 | ---D | C] -- C:\ProgramData\PrevxCSI
[2010/06/02 19:00:43 | 000,934,320 | ---- | C] (Prevx) -- C:\Users\owner\Desktop\PREVXCSIFREE.EXE
[2010/06/02 18:36:25 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\owner\Desktop\mbam-setup-1.46.exe
[2010/06/02 18:31:27 | 000,000,000 | ---D | C] -- C:\Users\owner\DoctorWeb
[2010/06/02 18:21:18 | 000,000,000 | ---D | C] -- C:\Users\owner\Desktop\RootRepeal
[2010/05/31 23:13:04 | 001,137,360 | ---- | C] (F-Secure Corporation) -- C:\Users\owner\Desktop\fsbl.exe
[2010/05/27 07:15:07 | 000,000,000 | ---D | C] -- C:\Users\owner\Documents\RegRun2
[2010/05/27 07:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/05/27 00:54:37 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/05/26 23:37:05 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Malwarebytes
[2010/05/26 23:36:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/26 23:23:34 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\owner\Desktop\HijackThis.exe
[2010/05/26 21:28:50 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/05/26 21:25:22 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/05/26 21:14:57 | 000,000,000 | RHSD | C] -- C:\RECYCLER
[2010/05/26 19:54:00 | 000,000,000 | ---D | C] -- C:\Users\owner\Desktop\תמונות נבחרות
[2009/11/10 08:18:58 | 000,651,264 | ---- | C] ( ) -- C:\Windows\System32\lxdupmui.dll
[2009/11/10 08:18:54 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\lxducomm.dll
[2009/10/15 22:32:46 | 000,409,600 | ---- | C] ( ) -- C:\Windows\System32\lxducoin.dll
[2009/08/03 22:55:46 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\LXDUhcp.dll
[2009/08/03 22:55:45 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxduinpa.dll
[2009/08/03 22:55:45 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxduiesc.dll
[2009/08/03 22:55:44 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxduserv.dll
[2009/08/03 22:55:44 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxduusb1.dll
[2009/08/03 22:55:43 | 000,577,536 | ---- | C] ( ) -- C:\Windows\System32\lxdulmpm.dll
[2009/08/03 22:55:41 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxduhbn3.dll
[2009/08/03 22:55:39 | 000,761,856 | ---- | C] ( ) -- C:\Windows\System32\lxducomc.dll

========== Files - Modified Within 30 Days ==========

[2010/06/06 20:04:57 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{8C378682-0261-44B6-958F-7E72ECCF7EE4}.job
[2010/06/06 20:04:25 | 002,883,584 | -HS- | M] () -- C:\Users\owner\ntuser.dat
[2010/06/06 19:53:42 | 000,034,895 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/06/06 19:53:41 | 000,034,895 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/06/06 19:53:26 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/06 19:53:26 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/06 19:53:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/06 19:53:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/06 19:52:07 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{2f2e13c5-5acc-11df-bb54-0024219c46ab}.TMContainer00000000000000000001.regtrans-ms
[2010/06/06 19:52:07 | 000,065,536 | -HS- | M] () -- C:\Users\owner\ntuser.dat{2f2e13c5-5acc-11df-bb54-0024219c46ab}.TM.blf
[2010/06/06 19:52:04 | 005,794,204 | -H-- | M] () -- C:\Users\owner\AppData\Local\IconCache.db
[2010/06/06 19:45:42 | 373,504,896 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/06 19:32:56 | 000,293,376 | ---- | M] () -- C:\Users\owner\Desktop\8eftkxbf.exe
[2010/06/06 19:27:30 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2010/06/06 00:24:38 | 000,049,664 | ---- | M] () -- C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/02 23:58:58 | 000,033,280 | ---- | M] () -- C:\Users\owner\Documents\קורות חיים ניצן רדזינר.doc
[2010/06/02 23:58:24 | 000,033,280 | ---- | M] () -- C:\Users\owner\Documents\קורות חיים - ניצן ארמה[1].doc
[2010/06/02 19:53:06 | 000,451,584 | ---- | M] () -- C:\Users\owner\Desktop\CKScanner.exe
[2010/06/02 19:16:30 | 000,061,952 | ---- | M] (Prevx) -- C:\Windows\System32\PxSecure.dll
[2010/06/02 19:16:29 | 000,061,624 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxrts.sys
[2010/06/02 19:16:29 | 000,030,320 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxscan.sys
[2010/06/02 19:16:26 | 000,024,400 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxkbf.sys
[2010/06/02 19:14:59 | 000,000,806 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/02 19:00:52 | 000,934,320 | ---- | M] (Prevx) -- C:\Users\owner\Desktop\PREVXCSIFREE.EXE
[2010/06/02 18:37:03 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\owner\Desktop\mbam-setup-1.46.exe
[2010/06/02 18:28:45 | 000,000,137 | ---- | M] () -- C:\Users\owner\AppData\Roaming\default.rss
[2010/06/02 18:24:04 | 042,657,480 | ---- | M] () -- C:\Users\owner\Desktop\l9hyt7ff.exe
[2010/06/02 18:16:55 | 000,465,298 | ---- | M] () -- C:\Users\owner\Desktop\RootRepeal.rar
[2010/05/31 23:13:10 | 001,137,360 | ---- | M] (F-Secure Corporation) -- C:\Users\owner\Desktop\fsbl.exe
[2010/05/31 22:22:06 | 001,253,826 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/31 22:22:06 | 000,644,676 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/31 22:22:06 | 000,406,822 | ---- | M] () -- C:\Windows\System32\perfh00D.dat
[2010/05/31 22:22:06 | 000,120,282 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/31 22:22:06 | 000,088,136 | ---- | M] () -- C:\Windows\System32\perfc00D.dat
[2010/05/27 07:15:26 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/05/27 07:15:26 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
[2010/05/27 07:15:26 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2010/05/27 07:08:29 | 000,446,592 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/05/27 07:05:33 | 000,001,152 | ---- | M] () -- C:\Windows\System32\drivers\lpypwb.sys
[2010/05/27 00:18:47 | 000,001,356 | ---- | M] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2010/05/26 23:23:37 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\owner\Desktop\HijackThis.exe
[2010/05/25 21:06:16 | 000,080,983 | ---- | M] () -- C:\Users\owner\Desktop\מסמך.rtf
[2010/05/24 09:33:05 | 000,010,883 | ---- | M] () -- C:\Users\owner\Desktop\אישור.docx
[2010/05/23 11:16:48 | 000,048,492 | ---- | M] () -- C:\Users\owner\Desktop\Sylab_Isr2(2010)__Yom[1].docx
[2010/05/09 22:12:57 | 000,076,800 | ---- | M] () -- C:\Users\owner\Desktop\1_108057297.doc
[2010/05/08 21:18:13 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{2f2e13c5-5acc-11df-bb54-0024219c46ab}.TMContainer00000000000000000002.regtrans-ms
[2010/05/08 21:09:15 | 000,524,288 | -HS- | M] () -- C:\Users\owner\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
[2010/05/08 21:09:15 | 000,065,536 | -HS- | M] () -- C:\Users\owner\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf

========== Files Created - No Company Name ==========

[2010/06/06 19:32:53 | 000,293,376 | ---- | C] () -- C:\Users\owner\Desktop\8eftkxbf.exe
[2010/06/02 23:58:58 | 000,033,280 | ---- | C] () -- C:\Users\owner\Documents\קורות חיים ניצן רדזינר.doc
[2010/06/02 19:53:03 | 000,451,584 | ---- | C] () -- C:\Users\owner\Desktop\CKScanner.exe
[2010/06/02 18:20:09 | 042,657,480 | ---- | C] () -- C:\Users\owner\Desktop\l9hyt7ff.exe
[2010/06/02 18:16:51 | 000,465,298 | ---- | C] () -- C:\Users\owner\Desktop\RootRepeal.rar
[2010/05/27 07:15:26 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat
[2010/05/26 21:28:34 | 373,504,896 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/26 21:15:11 | 000,001,152 | ---- | C] () -- C:\Windows\System32\drivers\lpypwb.sys
[2010/05/25 20:18:16 | 000,080,983 | ---- | C] () -- C:\Users\owner\Desktop\מסמך.rtf
[2010/05/24 09:33:05 | 000,010,883 | ---- | C] () -- C:\Users\owner\Desktop\אישור.docx
[2010/05/23 11:16:55 | 000,048,492 | ---- | C] () -- C:\Users\owner\Desktop\Sylab_Isr2(2010)__Yom[1].docx
[2010/05/09 22:11:57 | 000,076,800 | ---- | C] () -- C:\Users\owner\Desktop\1_108057297.doc
[2010/05/08 21:18:13 | 000,524,288 | -HS- | C] () -- C:\Users\owner\ntuser.dat{2f2e13c5-5acc-11df-bb54-0024219c46ab}.TMContainer00000000000000000002.regtrans-ms
[2010/05/08 21:18:13 | 000,524,288 | -HS- | C] () -- C:\Users\owner\ntuser.dat{2f2e13c5-5acc-11df-bb54-0024219c46ab}.TMContainer00000000000000000001.regtrans-ms
[2010/05/08 21:18:13 | 000,065,536 | -HS- | C] () -- C:\Users\owner\ntuser.dat{2f2e13c5-5acc-11df-bb54-0024219c46ab}.TM.blf
[2009/12/12 10:46:10 | 000,168,448 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/12/12 10:46:10 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2009/12/12 10:46:07 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/12/12 10:46:06 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2009/12/12 10:46:06 | 000,205,824 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/12/12 10:46:03 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/12/12 10:46:03 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2009/11/10 08:18:47 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdugrd.dll
[2009/10/14 13:36:24 | 000,102,400 | ---- | C] () -- C:\Windows\System32\lxduinsr.dll
[2009/10/14 13:36:20 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxducur.dll
[2009/10/14 13:36:08 | 000,147,456 | ---- | C] () -- C:\Windows\System32\lxdujswr.dll
[2009/09/24 04:54:47 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 23:00:54 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxduvs.dll
[2009/08/03 22:59:33 | 000,081,920 | ---- | C] () -- C:\Windows\System32\lxducaps.dll
[2009/08/03 22:59:32 | 001,036,288 | ---- | C] () -- C:\Windows\System32\lxdudrs.dll
[2009/08/03 22:59:32 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxducnv4.dll
[2009/08/03 22:59:15 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXDUPMON.DLL
[2009/08/03 22:59:15 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXDUFXPU.DLL
[2009/08/03 22:58:55 | 000,086,016 | ---- | C] () -- C:\Windows\System32\lxduoem.dll
[2009/08/03 22:56:41 | 000,000,044 | ---- | C] () -- C:\Windows\System32\lxdurwrd.ini
[2009/08/03 22:55:46 | 000,389,120 | ---- | C] () -- C:\Windows\System32\LXDUinst.dll
[2009/02/25 12:21:26 | 000,072,192 | R--- | C] () -- C:\Windows\System32\zlibwapi.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/11/02 10:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:A9662AE0
< End of report >


the second is Extras.txt:

OTL Extras logfile created on: 06/06/2010 19:28:38 - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\owner\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 0000040d | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 375.93 Gb Free Space | 80.71% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ORIVENITZAN
Current User Name: owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"16874:TCP" = 16874:TCP:*:Enabled:spport
"6301:TCP" = 6301:TCP:*:Enabled:spport
"17872:TCP" = 17872:TCP:*:Enabled:spport
"18226:TCP" = 18226:TCP:*:Enabled:spport
"5163:TCP" = 5163:TCP:*:Enabled:spport
"14808:TCP" = 14808:TCP:*:Enabled:spport
"6316:TCP" = 6316:TCP:*:Enabled:spport
"25187:TCP" = 25187:TCP:*:Enabled:spport

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{240DA6AA-B2C8-4D78-8A67-AA4C91EEF435}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7C30B1F3-8F56-4275-8B0C-35CB55C07B7C}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{83616D27-96BB-49F4-8350-0D82F0265A0F}" = lport=10243 | protocol=6 | dir=in | app=system |
"{865E1A05-DFD2-4A0E-ADFC-3A5D2899A43A}" = rport=10243 | protocol=6 | dir=out | app=system |
"{8A8AE1F5-A35A-4FCA-9AC0-D3EB4554DA3F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{97F8AF82-D79F-41BF-86CB-B5A04FF0EA27}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{AA102873-3016-4FED-A144-E5FCE7B68B50}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BBE32857-EE35-410C-927F-C7B15D331E00}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{C5E8CE79-6129-4351-8841-248254D90DDA}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CC271173-30E3-44D0-9E21-8679A284499B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01D4F9D3-4CA4-4B34-86DE-95452E70820E}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxduamon.exe |
"{0270D855-69F6-4A72-B4F5-9FE45D583E99}" = protocol=6 | dir=out | app=system |
"{098362CC-5BBD-43C6-A092-B96B4760ADFB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{0AD2C18F-8CC7-4E03-9B6D-640C4B10803A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1787CE43-B480-409D-A474-70CCA07EED93}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{20224D57-7C70-40F7-AF8F-1B89813D0C16}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059}" = protocol=6 | dir=in | app=c:\windows\system32\svchost.exe |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060}" = protocol=6 | dir=out | app=c:\windows\system32\svchost.exe |
"{2E00E7D0-BF32-4D2B-BCE2-3DA4F619B91C}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{33E6E634-38A7-428D-8C62-E57A5759D7EE}" = protocol=17 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{390E2F52-4BC1-4646-A34F-E6066850D73F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{41508AD5-16E4-46B7-A6EF-9605CF8F07E2}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{5356E21E-5D16-4FC8-9872-78085C7734DE}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{55C08008-B945-4B0D-8232-8D76999B871E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6007770B-F68B-4142-9A48-AED501CCDCF2}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{7D8A5C99-8811-4847-8291-80D263E9A200}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxdufax.exe |
"{93A91EBA-B31D-46D5-9C2D-1C6FAB834128}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{94DE4AAA-8563-48C6-912B-29FB1DCB574F}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{9C1BA01B-3FA4-4CB7-9A65-2529C3291E86}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{9D57DB43-70AF-4831-96CD-A06375C9B8B5}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{AB8C06CD-75DA-402E-98C5-C08C7EEF2251}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{B4788211-D9B2-40D0-8834-481B94D89368}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{B5F42978-9011-49F8-84F1-472DB67F5335}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{B6569465-DEB4-4CE6-97D5-3B615863A001}" = protocol=6 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{B79B36A6-3BB5-47C3-94C5-51582ECCF6C7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{C26C464A-F0CE-4208-832F-DAC2E6BE8364}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\frun.exe |
"{D12F654C-280A-4F5C-A8D9-C17689E8C6A9}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{ED19F123-2FB5-409E-A632-1A694312AC7C}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxduamon.exe |
"{F3DB1391-CD6E-4D33-B0A2-AD051D91A083}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxdufax.exe |
"{F57F714C-DB4E-4EA4-A4B1-DFEC422750C5}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\frun.exe |
"TCP Query User{3BCFDFE0-2188-4328-A85F-66D958A9E255}C:\users\owner\appdata\local\temp\wnhqinrh.exe" = protocol=6 | dir=in | app=c:\users\owner\appdata\local\temp\wnhqinrh.exe |
"TCP Query User{9B8EB63B-2D32-4919-8DAD-48B98ACC7775}C:\program files\dap\dap.exe" = protocol=6 | dir=in | app=c:\program files\dap\dap.exe |
"TCP Query User{A9C29A4B-9DEA-4190-B703-85FCA0E9B21E}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"TCP Query User{B777684B-DA93-44F1-8283-871C605F04C3}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{C7D91E96-19C4-47C6-ACE9-61E97B0B9EF8}C:\users\owner\appdata\local\temp\wnhqinrh.exe" = protocol=6 | dir=in | app=c:\users\owner\appdata\local\temp\wnhqinrh.exe |
"UDP Query User{02DD3A62-4D8B-49C6-ADB0-47B8DF51FE7C}C:\users\owner\appdata\local\temp\wnhqinrh.exe" = protocol=17 | dir=in | app=c:\users\owner\appdata\local\temp\wnhqinrh.exe |
"UDP Query User{4AC4FBE8-6716-48FB-BD97-7BBD24A4AB7E}C:\users\owner\appdata\local\temp\wnhqinrh.exe" = protocol=17 | dir=in | app=c:\users\owner\appdata\local\temp\wnhqinrh.exe |
"UDP Query User{80C083B7-07A7-41B4-B7ED-7401E456C214}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"UDP Query User{9A1F3325-FA86-4241-80C9-4151BF43B28A}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{EC4F67EB-EBFF-4F53-B586-55E7193CD9B1}C:\program files\dap\dap.exe" = protocol=17 | dir=in | app=c:\program files\dap\dap.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark סרגל כלים
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{18880887-285F-4260-989B-8B22020D756F}" = E-GOV.IL Sign&Verify Software - AGForm toolbar
"{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed
"{359CFC0A-BEB1-440D-95BA-CF63A86DA34F}" = Nero Recode
"{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{961688FD-5FD8-3D21-BE82-ACB1800EBEA2}" = Microsoft .NET Framework 3.5 Language Pack SP1 - heb
"{9E82B934-9A25-445B-B8DF-8012808074AC}" = Nero PhotoSnap
"{A209525B-3377-43F4-B886-32F6B6E7356F}" = Nero WaveEditor
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{B83FC356-B7C0-441F-8A4D-D71E088E7974}" = NVIDIA PhysX
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark
"{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime
"{DC05852F-1732-4538-A714-D584639484BE}" = Ligature
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1861F30-3419-44DB-B2A1-C274825698B3}" = Nero Disc Copy Gadget
"{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool
"{fdd2f775-1e06-4ac2-96d0-3484e2f61a25}" = Nero 9
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.9.5 (Full)
"Lexmark 5600-6600 Series" = Lexmark 5600-6600 Series
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"Microsoft .NET Framework 3.5 Language Pack SP1 - heb" = ערכת שפה של Microsoft .NET Framework 3.5 SP1 - heb
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NAV" = Norton AntiVirus
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"OJOsoft Total Video Converter_is1" = OJOsoft Total Video Converter
"PCSI" = Prevx
"Picasa 3" = Picasa 3
"SubtitleWorkshop" = Subtitle Workshop 2.51
"WinDjView" = WinDjView 1.0.3
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2186487272-3208527863-4151074708-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 01/06/2010 14:17:06 | Computer Name = OriVeNitzan | Source = Application Hang | ID = 1002
Description = ‏‏התוכנית WINWORD.EXE מגירסה 12.0.4518.1014 הפסיקה לקיים אינטראקציה
עם Windows ונסגרה. כדי לברר אם זמין מידע נוסף אודות הבעיה, בדוק את היסטוריית הבעיה
בלוח הבקרה של פתרונות ודוחות של בעיות. מזהה תהליך: 10c8 זמן התחלה: 01cb018ddb224f4a
זמן
סיום: 2

Error - 02/06/2010 00:25:59 | Computer Name = OriVeNitzan | Source = Application Hang | ID = 1002
Description = ‏‏התוכנית ccSvcHst.exe מגירסה 108.1.1.10 הפסיקה לקיים אינטראקציה עם
Windows ונסגרה. כדי לברר אם זמין מידע נוסף אודות הבעיה, בדוק את היסטוריית הבעיה
בלוח הבקרה של פתרונות ודוחות של בעיות. מזהה תהליך: fa0 זמן התחלה: 01cb00fd0f43b933
זמן
סיום: 60000

Error - 02/06/2010 00:29:48 | Computer Name = OriVeNitzan | Source = WinMgmt | ID = 10
Description =

Error - 02/06/2010 11:28:11 | Computer Name = OriVeNitzan | Source = Perflib | ID = 1010
Description =

Error - 02/06/2010 12:26:17 | Computer Name = OriVeNitzan | Source = VSS | ID = 8194
Description =

Error - 02/06/2010 12:54:24 | Computer Name = OriVeNitzan | Source = Application Hang | ID = 1002
Description = ‏‏התוכנית CKScanner.exe מגירסה 1.6.1.0 הפסיקה לקיים אינטראקציה עם
Windows ונסגרה. כדי לברר אם זמין מידע נוסף אודות הבעיה, בדוק את היסטוריית הבעיה
בלוח הבקרה של פתרונות ודוחות של בעיות. מזהה תהליך: 408 זמן התחלה: 01cb027422a83708
זמן
סיום: 2

Error - 03/06/2010 11:41:42 | Computer Name = OriVeNitzan | Source = WinMgmt | ID = 10
Description =

Error - 03/06/2010 15:19:28 | Computer Name = OriVeNitzan | Source = Application Hang | ID = 1002
Description = ‏‏התוכנית CKScanner.exe מגירסה 1.6.1.0 הפסיקה לקיים אינטראקציה עם
Windows ונסגרה. כדי לברר אם זמין מידע נוסף אודות הבעיה, בדוק את היסטוריית הבעיה
בלוח הבקרה של פתרונות ודוחות של בעיות. מזהה תהליך: cd4 זמן התחלה: 01cb035196220f8f
זמן
סיום: 2

Error - 04/06/2010 09:56:49 | Computer Name = OriVeNitzan | Source = WinMgmt | ID = 10
Description =

Error - 05/06/2010 13:42:12 | Computer Name = OriVeNitzan | Source = WinMgmt | ID = 10
Description =

[ OSession Events ]
Error - 27/04/2010 09:20:50 | Computer Name = OriVeNitzan | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 25058
seconds with 6960 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 02/06/2010 12:25:59 | Computer Name = OriVeNitzan | Source = LSM | ID = 1048
Description =

Error - 02/06/2010 12:26:04 | Computer Name = OriVeNitzan | Source = LSM | ID = 1048
Description =

Error - 02/06/2010 12:27:28 | Computer Name = OriVeNitzan | Source = LSM | ID = 1048
Description =

Error - 03/06/2010 11:41:07 | Computer Name = OriVeNitzan | Source = EventLog | ID = 6008
Description = The previous system shutdown at 18:24:11 on 03/06/2010 was unexpected.

Error - 03/06/2010 11:41:40 | Computer Name = OriVeNitzan | Source = LSM | ID = 1048
Description =

Error - 03/06/2010 11:41:43 | Computer Name = OriVeNitzan | Source = Service Control Manager | ID = 7026
Description =

Error - 04/06/2010 09:56:53 | Computer Name = OriVeNitzan | Source = LSM | ID = 1048
Description =

Error - 04/06/2010 09:56:53 | Computer Name = OriVeNitzan | Source = Service Control Manager | ID = 7026
Description =

Error - 05/06/2010 13:42:12 | Computer Name = OriVeNitzan | Source = LSM | ID = 1048
Description =

Error - 05/06/2010 13:42:12 | Computer Name = OriVeNitzan | Source = Service Control Manager | ID = 7026
Description =


< End of report >

Thank you again, and let me know what to do next!
radzy
Active Member
 
Posts: 7
Joined: June 2nd, 2010, 12:31 pm

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 7th, 2010, 12:16 am

Shalom Nitzan

From your present comments I can already see that you should know

Backdoor Warning
Your computer has multiple infections, including a Backdoor.
A backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge.
A backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
Typically it's installed without user interaction through security exploits, and can severely compromise system security.
Such infections may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware.
These backdoor infections may also collect and transmit personally identifiable information, without your consent and severely degrade the performance and stability of your computer.
A backdoor infection can give intruders complete control of your computer, logs your keystrokes, obtain passwords, steal personal information, etc.

You are strongly advised to do the following:
  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft
    and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords
    (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
    Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again.
Many experts in the security community believe that once infected with this type of Trojan,
the best course of action would be to do a reformat and re-installation of the operating system (OS).
This decision will have to be made by you...

We can attempt to clean this machine but we will not guarantee that it won't still be compromised, afterwards.

To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
How and Where to backup your files
Restoring your backups

This tells you a bit more about what this backdoor worm W32.Pilleuz does according to Symantec's analysis.
The worm then opens a back door on the compromised computer that allows a remote attacker to perform the following actions:

* Access local files
* Download files, including updates to the worm
* Execute arbitrary commands
* Perform denial of service attacks
* Modify the hosts file
* Steal information from Web browsers, including cookies and saved passwords


Please let me know how you would like to proceed.
Thanks
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help, i think my computer is infected...

Unread postby radzy » June 7th, 2010, 2:54 am

Elrond,
thank you for your fast reply.

I wish to continue with the process of trying to remove the infection, rather than formatting the computer.
radzy
Active Member
 
Posts: 7
Joined: June 2nd, 2010, 12:31 pm

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 7th, 2010, 10:20 am

OK.

Security Check

  • Download Security Check by screen317 from:
  • Save it to your Desktop.
  • Right click SecurityCheck.exe And select " Run as administrator " , then follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

RootRepealer
  • Please download RootRepeal Beta and save it to your Desktop.
  • close all other programs then run it by double-clicking on the file named RootRepeal.exe
  • Once the main window shows up, please click on the Report button on the bottom of the window.
  • Next, please click the Scan button.
  • Another window will pop up asking you to select what to include in the scan. Please uncheck everything except for the Stealth Code checkbox, and then click OK.
  • Once the program has finished scanning, the results will appear. Click on the Save Report button, and save the report to your Desktop.
  • Please post the log in you're next reply.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. I repeat, this tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Please include in your next reply:
  1. Any problem executing the instructions?
  2. Checkup.txt from Security Check
  3. The RootRepeal log
  4. ComboFix.txt From ComboFix
  5. How is the computer behaving?
Thanks,
Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help, i think my computer is infected...

Unread postby radzy » June 8th, 2010, 2:45 am

Elrond!

Thank you very much for all your help so far.
My computercouldn't run RootRepealer and Combofix (I got error messages and the programmes stopped responding...).

I gave up, I'm formatting my computer.

Thanks again for your kind help!
radzy
Active Member
 
Posts: 7
Joined: June 2nd, 2010, 12:31 pm

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 9th, 2010, 9:47 am

Hi radzy

I believe that you chose the right solution. It could be that we could have gotten rid of the malware that we could see but it is today impossible to be sure that it is really clean after an infection such as the one you had.


Now we needed to deal with security vulnerabilities


Install internet explorer 8

You can find information and install IE 8 from Here


Here are some free programs I recommend that could help you improve your computer's security.


Install Malwarebytes Anti-malware
These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
You can find information and Download it from HERE

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE


MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check


Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update > Check for updates.
To update Office
Open up any Office program.
Go to Help > Check for Updates


Read some information HERE On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly


I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help, i think my computer is infected...

Unread postby radzy » June 10th, 2010, 8:07 am

Elrond,

thank you for your recommendations.
I have a question; do you recommend on installing all these programs together?
an anti virus + malwarebytes + winpatrol... isn't it a little "heavy" for the computer?
radzy
Active Member
 
Posts: 7
Joined: June 2nd, 2010, 12:31 pm

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 10th, 2010, 10:03 am

Not really I would also add a Firewall to the mix. You do need one of each of AntiVirus, Antimalware and Firewall. Winpatrol plays nicely with all of those programs and gives you an extra layer of protection besides a very useful capability of controlling what programs run at start up.
Malwarebytes Anti-malware is an excellent anti-Malware program and the paid version does a good check of what comes in to your computer besides scanning for new infections daily.


To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors.

  1. Antivir PersonalEdition Classic- Superior detection, the "free" version has no email scan.
  2. avast! Free Antivirus - Excellent detection, the freeware version includes email scanning.
  3. Microsoft Security Essentials ** - New, from Microsoft, with email scanning, easy to install, easy to use.
    ** Your PC must run genuine Windows to install Microsoft Security Essentials.

A good (pay for) Anti-virus program is ESET NOD32 Antivirus - 30 day free trial.

Installing a new AV product.
Do NOT unistall any existing anti-virus product yet!
  1. Download the new Anti-virus product to your computer.
  2. Save any work. Close all applications, especially your Internet connection.
  3. Uninstall any existing anti-virus product... Use the AV uninstall option if available.
  4. Reboot your computer, if not done during the uninstall.
  5. Install the new AV product... following installation instructions.
  6. Check for updates to the new AV product, if not done during install setup.
  7. Run a full scan of your computer.
It is strongly recommended that you run only one antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world.
Firewalls protect against hackers and malicious intruders.
If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in
both directions... from one of these excellent vendors:
  1. Online Armor Free (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
  2. ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
  3. Ashampoo
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall.

The programs above should be the first things installed once you have reformatted and then you should run the Windows update until no more important updates are offered. It is a nuisance but an unprotected computer running XP will on the average last only a few minutes before it is infected. :twisted:

Just a quick question Where in Israel do you live? I am a Jerushalmi.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help, i think my computer is infected...

Unread postby radzy » June 10th, 2010, 12:58 pm

Thank you very much for your advice!

(Born and raised in Tel Aviv, now in Haifa as I'm about to begin my studies in the Technion in a few months)
radzy
Active Member
 
Posts: 7
Joined: June 2nd, 2010, 12:31 pm

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 10th, 2010, 1:37 pm

Good luck, b'hazlacha. :D
If you need any help you can PM me. :D
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help, i think my computer is infected...

Unread postby Elrond » June 11th, 2010, 8:10 am

radzy this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware