0

I had a little viruses attack on my computer. Did my best to get rid of them, but still some things, like Norton WMI Update, don't work. Would you be so kind to have a look in my Hjt log? (windows2000)

Logfile of HijackThis v1.98.2
Scan saved at 12:23:12, on 30/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\הפוך על הפוך\hebrew.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\dls\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D788EA0-403D-4FEE-A520-95B2284A14B0}: NameServer = 62.219.186.7 192.115.106.35

5
Contributors
30
Replies
31
Views
13 Years
Discussion Span
Last Post by crunchie
0

Have you tried running Norton's Live Update to see if that would fix your WMI problem?

I don't see anything obvious (to me) in your log, maybe one of the pro's can spot something.

0

Have you tried disabling ZoneAlarm temporarily, and then tried the update? Just a thought, as I've seen ZoneAlarm do some really odd things before.

0

I've tried to uninstall norton antivirus, and than I uninstalled ZoneAlarm, and than I reinstalled Norton Antivirus, but still I have the WMI problem, and still the computer works too slow.

Here is a new log, this time without ZoneAlarm:

Logfile of HijackThis v1.98.2
Scan saved at 07:32:28, on 08/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\dls\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D788EA0-403D-4FEE-A520-95B2284A14B0}: NameServer = 62.219.186.7 192.115.106.35

0

If the HJT looks ok, how comes that Norton Antivirus Scan finds:

Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
08/10/2004 14:34:52,Virus scanner,Hacktool.Keygen.151552,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: E:\RECYCLED\De1.exe,Description: The file E:\RECYCLED\De1.exe is a Hack tool threat."
08/10/2004 14:34:52,Virus scanner,Hacktool.Keygen.151552,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: Symantec.Norton.Antivirus.2004.Professional.v10.0.0.109.WinAll.Incl.Keygenerator-TMG\keygen.exe,Description: The compressed file keygen.exe within C:\Program Files\eMule\incoming\ntnaivs.2004.Pro.Final.With.Crack.[oshrinu].[LioNetwork.net].rar is a Hack tool threat."
08/10/2004 13:26:43,Virus scanner,W32.Netsky.D@mm,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: document_full.pif,Description: The email attachment document_full.pif is infected with the [email="W32.Netsky.D@mm"]W32.Netsky.D@mm[/email] virus."
08/10/2004 12:14:28,Virus scanner,W32.Netsky.P@mm!enc,Quarantined,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: C:\DOCUME~1\SMADDA~1.PC-\LOCALS~1\Temp\CC249.tmp,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\CC249.tmp is infected with the [email="W32.Netsky.P@mm!enc"]W32.Netsky.P@mm!enc[/email] virus."
08/10/2004 12:14:28,Virus scanner,W32.Netsky.P@mm,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: message.scr,Description: The email attachment message.scr is infected with the [email="W32.Netsky.P@mm"]W32.Netsky.P@mm[/email] virus."
08/10/2004 12:04:32,Virus scanner,W32.Netsky.P@mm,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: data.pif,Description: The email attachment data.pif is infected with the [email="W32.Netsky.P@mm"]W32.Netsky.P@mm[/email] virus."
08/10/2004 12:04:32,Virus scanner,W32.Netsky.P@mm!enc,Quarantined,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: C:\DOCUME~1\SMADDA~1.PC-\LOCALS~1\Temp\CC247.tmp,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\CC247.tmp is infected with the [email="W32.Netsky.P@mm!enc"]W32.Netsky.P@mm!enc[/email] virus."
08/10/2004 10:51:13,Auto-Protect,Backdoor.Sdbot.AC,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,Administrator,PC-HOME,Source: C:\WINNT\system32\svchos.exe
08/10/2004 10:49:45,Auto-Protect,Backdoor.Sdbot.AC,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,Administrator,PC-HOME,Source: C:\WINNT\system32\svchos.exe
08/10/2004 10:20:47,Virus scanner,W32.Netsky.D@mm,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: your_file.pif,Description: The email attachment your_file.pif is infected with the [email="W32.Netsky.D@mm"]W32.Netsky.D@mm[/email] virus."
08/10/2004 10:11:49,Auto-Protect,W32.Randex,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,Administrator,PC-HOME,Source: C:\WINNT\system32\msnmsgr.exe
08/10/2004 09:12:58,Auto-Protect,W32.Randex.BLD,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,Administrator,PC-HOME,Source: C:\WINNT\system32\rcf.exe
08/10/2004 07:48:13,Auto-Protect,W32.Spybot.Worm,Automatically deleted,File,N/A,N/A,200410060020,10.0.0.109,Administrator,PC-HOME,Source: C:\WINNT\system32\svchosts.exe

and Panda ActiveScan finds:


Incident Status Location
Virus:W32/Sdbot.gen.worm Disinfected C:\WINNT\system32\payload.dat
Virus:W32/Sdbot.gen.worm Disinfected C:\WINNT\system32\MSsrvs32.exe

Everytime I scan my computer I find some threads. Do you think you can help me get my computer back? :(


And by the way, does it makes sense that the size of the folder "WINNT" is 1.25 GB?

0

I scaned again with Panda ActiveScan. This time 5 threats were found:


Incident Status Location
Virus:W32/Sdbot.gen.worm No disinfected Operating system
Virus:W32/Sdbot.gen.worm Disinfected C:\WINNT\system32\payload.dat
Virus:W32/Sdbot.gen.worm No disinfected C:\WINNT\system32\MSsrvs32.exe
Virus:W32/Sdbot.gen.worm Disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C9QZCL2R\new2[1].exe
Virus:W32/Sdbot.gen.worm Disinfected C:\Documents and Settings\smaddar.PC-HOME\payload.dat
Virus:W32/Sdbot.gen.worm Disinfected C:\nuevo23.exe

0

If you find the time, when you find the time, here is a new HJT as well:

Logfile of HijackThis v1.98.2
Scan saved at 16:09:11, on 09/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\filtax.exe
C:\WINNT\SYSTEM32\hgdhp.exe
C:\WINNT\system32\mxxcva.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\filtax.exe
C:\WINNT\system32\mxxcva.exe
C:\dls\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,00.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Video Capture Controls] MVCC.exe
O4 - HKLM\..\Run: [Synchronization Data Schedul] filtax.exe
O4 - HKLM\..\Run: [VQVQEVXfxcX] C:\WINNT\SYSTEM32\hgdhp.exe
O4 - HKLM\..\Run: [sdfwfq] mxxcva.exe
O4 - HKLM\..\Run: [cftmon] cftmon.exe
O4 - HKLM\..\RunServices: [Microsoft Video Capture Controls] MVCC.exe
O4 - HKLM\..\RunServices: [Synchronization Data Schedul] filtax.exe
O4 - HKLM\..\RunServices: [sdfwfq] mxxcva.exe
O4 - HKLM\..\RunServices: [cftmon] cftmon.exe
O4 - HKLM\..\RunOnce: [LUSETUP-LT] C:\PROGRA~1\Symantec\LIVEUP~1\LUSETU~1.EXE -s -a -q -log
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Synchronization Data Schedul] filtax.exe
O4 - HKCU\..\Run: [sdfwfq] mxxcva.exe
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D788EA0-403D-4FEE-A520-95B2284A14B0}: NameServer = 192.115.106.31 192.115.106.35

0

I beleave in you, and I know that sooner or later you will help me :)

meanwhile, I have a new message when I restart the computer:

WINUSER32.EXE
access to the specified device, path, or file, is denied.

alot of other strange things happen to this machine. As if it is out of its mind :)

Waiting for your advice.

0

Download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while, so have a cuppa whilst it's running :).

http://www.trendmicro.com/download/dcs.asp

Be sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. It will not run without the pattern file.

From Trend:

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

0

Thank you, Crunchie.

I followed you advice, but it seems (to me) that nothing was found:


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2004-10-10, 08:03:00, Auto-clean mode specified.
2004-10-10, 08:03:00, Running scanner "C:\dls\sysclean\TSC.BIN"...
2004-10-10, 08:03:42, Scanner "C:\dls\sysclean\TSC.BIN" has finished running.
2004-10-10, 08:03:42, TSC Log:
Damage Cleanup Engine (DCE) 3.6(Build 1120)
Windows 2000(Build 2195: Service Pack 4)
Start time : וקטובר 10 2004 08:03:01
Load Damage Cleanup Template (DCT) "C:\dls\sysclean\tsc.ptn" (version 430) [success]
Complete time : וקטובר 10 2004 08:03:42
Execute pattern count(1275), Virus found count(0), Virus clean count(0), Clean failed count(0)
2004-10-10, 08:13:36, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2004-10-10, 08:13:36, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\SOFTWARE": Access is denied.
2004-10-10, 08:13:37, An error occurred while scanning file "C:\WINNT\system32\config\DEFAULT": Access is denied.
2004-10-10, 08:37:01, An error occurred while scanning file "C:\Documents and Settings\smaddar.PC-HOME\NTUSER.DAT": Access is denied.
2004-10-10, 08:37:01, An error occurred while scanning file "C:\Documents and Settings\smaddar.PC-HOME\NTUSER.DAT.LOG": Access is denied.
2004-10-10, 08:37:43, An error occurred while scanning file "C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2004-10-10, 08:37:43, An error occurred while scanning file "C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2004-10-10, 08:43:50, An error occurred while scanning file "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll": Access is denied.
2004-10-10, 09:06:04, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 10:37:51, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 09:06:08
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\dls\sysclean
62852 files have been read.
62852 files have been checked.
28763 files have been scanned.
41092 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:37:51
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:37:51, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 09:06:07
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\dls\sysclean
62852 files have been read.
62852 files have been checked.
28763 files have been scanned.
41092 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:37:51 1 hour 31 minutes 42 seconds (5502.12 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:37:51, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 09:06:08
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\dls\sysclean
62852 files have been read.
62852 files have been checked.
28763 files have been scanned.
41092 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:37:51 1 hour 31 minutes 42 seconds (5502.12 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:37:51, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.
2004-10-10, 10:41:31, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 10:41:53, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:41:33
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\dls\sysclean
380 files have been read.
380 files have been checked.
166 files have been scanned.
166 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:41:53
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:41:53, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:41:33
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\dls\sysclean
380 files have been read.
380 files have been checked.
166 files have been scanned.
166 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:41:53 18 seconds (17.43 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:41:53, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:41:33
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\dls\sysclean
380 files have been read.
380 files have been checked.
166 files have been scanned.
166 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:41:53 18 seconds (17.43 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:41:53, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.
2004-10-10, 10:46:03, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 10:47:24, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:46:05
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\dls\sysclean
1270 files have been read.
1270 files have been checked.
505 files have been scanned.
509 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:47:24
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:47:24, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:46:05
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\dls\sysclean
1270 files have been read.
1270 files have been checked.
505 files have been scanned.
509 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:47:24 1 minute 17 seconds (77.53 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:47:24, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:46:05
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\dls\sysclean
1270 files have been read.
1270 files have been checked.
505 files have been scanned.
509 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 10:47:24 1 minute 17 seconds (77.53 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 10:47:24, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.
2004-10-10, 10:58:19, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 11:06:28, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:58:20
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\dls\sysclean
6396 files have been read.
6396 files have been checked.
3894 files have been scanned.
4126 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 11:06:28
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 11:06:28, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:58:20
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\dls\sysclean
6396 files have been read.
6396 files have been checked.
3894 files have been scanned.
4126 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 11:06:28 8 minutes 6 seconds (485.46 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 11:06:28, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 10:58:20
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\dls\sysclean
6396 files have been read.
6396 files have been checked.
3894 files have been scanned.
4126 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 11:06:28 8 minutes 6 seconds (485.46 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 11:06:28, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.


What should I do now?

0

Winuser32.exe is a worm. Sysclean should have picked it up. Did you install the pattern file ok? Any error messages before you ran it?

Can you post another log scanned in normal mode please.

0

I think it's better this time :)


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2004-10-10, 14:49:25, Auto-clean mode specified.
2004-10-10, 14:49:25, Running scanner "C:\dls\sysclean\TSC.BIN"...
2004-10-10, 14:50:33, Scanner "C:\dls\sysclean\TSC.BIN" has finished running.
2004-10-10, 14:50:33, TSC Log:
Damage Cleanup Engine (DCE) 3.6(Build 1120)
Windows 2000(Build 2195: Service Pack 4)
Start time : וקטובר 10 2004 14:49:25
Load Damage Cleanup Template (DCT) "C:\dls\sysclean\tsc.ptn" (version 430) [success]
WORM_AGOBOT.CV[virus found]
-->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Run","svhost.exe") success
-->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Runservices","svhost.exe") success
WORM_SPYBOT-1[virus found]
-->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Run","winuser32.exe") success
-->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Runservices","winuser32.exe") success
-->modify registry data("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","explorer.exe winuser32.exe") success
Complete time : וקטובר 10 2004 14:50:16
Execute pattern count(1275), Virus found count(2), Virus clean count(2), Clean failed count(0)
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\SOFTWARE": Access is denied.
2004-10-10, 14:56:19, An error occurred while scanning file "C:\WINNT\system32\config\DEFAULT": Access is denied.
2004-10-10, 15:04:21, An error occurred while scanning file "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat": Access is denied.
2004-10-10, 15:04:21, An error occurred while scanning file "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat": Access is denied.
2004-10-10, 15:09:11, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Access is denied.
2004-10-10, 15:09:11, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT.LOG": Access is denied.
2004-10-10, 15:11:29, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2004-10-10, 15:11:29, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2004-10-10, 15:18:42, An error occurred while scanning file "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll": Access is denied.
2004-10-10, 15:30:55, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 16:02:52, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 15:30:58
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\dls\sysclean
62952 files have been read.
62952 files have been checked.
28809 files have been scanned.
40750 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:02:52
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:02:52, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 15:30:58
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\dls\sysclean
62952 files have been read.
62952 files have been checked.
28809 files have been scanned.
40750 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:02:52 31 minutes 53 seconds (1913.29 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:02:52, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 15:30:58
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\dls\sysclean
62952 files have been read.
62952 files have been checked.
28809 files have been scanned.
40750 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:02:52 31 minutes 53 seconds (1913.29 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:02:52, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.
2004-10-10, 16:06:12, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 16:06:23, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:06:13
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\dls\sysclean
380 files have been read.
380 files have been checked.
166 files have been scanned.
166 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:06:22
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:06:23, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:06:13
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\dls\sysclean
380 files have been read.
380 files have been checked.
166 files have been scanned.
166 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:06:22 7 seconds (7.71 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:06:23, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:06:13
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\dls\sysclean
380 files have been read.
380 files have been checked.
166 files have been scanned.
166 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:06:22 7 seconds (7.71 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:06:23, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.
2004-10-10, 16:09:24, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 16:10:03, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:09:25
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\dls\sysclean
1270 files have been read.
1270 files have been checked.
505 files have been scanned.
509 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:10:03
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:10:03, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:09:25
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\dls\sysclean
1270 files have been read.
1270 files have been checked.
505 files have been scanned.
509 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:10:03 36 seconds (35.99 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:10:03, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:09:25
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\dls\sysclean
1270 files have been read.
1270 files have been checked.
505 files have been scanned.
509 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:10:03 36 seconds (35.99 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:10:03, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.
2004-10-10, 16:14:39, Running scanner "C:\dls\sysclean\VSCANTM.BIN"...
2004-10-10, 16:18:03, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:14:40
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\dls\sysclean
6396 files have been read.
6396 files have been checked.
3894 files have been scanned.
4126 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:18:03
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:18:03, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:14:40
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\dls\sysclean
6396 files have been read.
6396 files have been checked.
3894 files have been scanned.
4126 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:18:03 3 minutes 21 seconds (201.48 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:18:03, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 10/10/2004 16:14:40
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 192 (72764 Patterns) (2004/10/08) (219200)
Command Line: C:\dls\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\dls\sysclean
6396 files have been read.
6396 files have been checked.
3894 files have been scanned.
4126 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/10/2004 16:18:03 3 minutes 21 seconds (201.48 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2004-10-10, 16:18:03, Scanner "C:\dls\sysclean\VSCANTM.BIN" has finished running.

What do you think? What's next?

0

and a new HJT:

Logfile of HijackThis v1.98.2
Scan saved at 16:57:22, on 10/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MSsrvs32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\filtax.exe
C:\WINNT\SYSTEM32\hgdhp.exe
C:\WINNT\system32\mxxcva.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\filtax.exe
C:\WINNT\system32\mxxcva.exe
C:\dls\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Video Capture Controls] MVCC.exe
O4 - HKLM\..\Run: [Synchronization Data Schedul] filtax.exe
O4 - HKLM\..\Run: [VQVQEVXfxcX] C:\WINNT\SYSTEM32\hgdhp.exe
O4 - HKLM\..\Run: [sdfwfq] mxxcva.exe
O4 - HKLM\..\Run: [cftmon] cftmon.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] cdzj.exe
O4 - HKLM\..\RunServices: [Microsoft Video Capture Controls] MVCC.exe
O4 - HKLM\..\RunServices: [Synchronization Data Schedul] filtax.exe
O4 - HKLM\..\RunServices: [sdfwfq] mxxcva.exe
O4 - HKLM\..\RunServices: [cftmon] cftmon.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] cdzj.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Synchronization Data Schedul] filtax.exe
O4 - HKCU\..\Run: [sdfwfq] mxxcva.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB

0

Suddenly, out of the blue, I have a new toolbar :(

0

Open Task Manager & end process on the following:
filtax.exe
hgdhp.exe
mxxcva.exe
ctfmon.exe
filtax.exe
mxxcva.exe

Then go to C:\WINNT\system32 & delete those files manually.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKLM\..\Run: [Microsoft Video Capture Controls] MVCC.exe
O4 - HKLM\..\Run: [Synchronization Data Schedul] filtax.exe
O4 - HKLM\..\Run: [VQVQEVXfxcX] C:\WINNT\SYSTEM32\hgdhp.exe
O4 - HKLM\..\Run: [sdfwfq] mxxcva.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] cdzj.exe
O4 - HKLM\..\RunServices: [Microsoft Video Capture Controls] MVCC.exe
O4 - HKLM\..\RunServices: [Synchronization Data Schedul] filtax.exe
O4 - HKLM\..\RunServices: [sdfwfq] mxxcva.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] cdzj.exe
O4 - HKCU\..\Run: [Synchronization Data Schedul] filtax.exe
O4 - HKCU\..\Run: [sdfwfq] mxxcva.exe

Reboot normally, update your anti-virus & do a full system scan.
Go here to TrendMicro for an on-line scan & set it to autoclean for you.

Try this scan at Panda as well.

Post another log please.

0

Well, it's not over yet.

I followed your instructions. ctfmon.exe and filtax.exe reappeared several times, I had to delete them again and again.

I tried to update my Norton Antivirus, but still it doesn't work too well. There are some files that can't be updated.

Anyways, I scaned with: norton, TrendMicro and Panda and...

TrendMicro found nothing.

Panda found these:
Virus:W32/Netsky.D.worm Disinfected Personal Folders\Deleted Items\Re: Your archive\your_archive.pif

Virus:W32/Netsky.D.worm Disinfected Personal Folders\Deleted Items\Re: Re: Message\message_details.pif

Virus:Trojan Horse Disinfected C:\Windows\system32\msrr\msrf.exe


Norton Antivirus was the best. Take a look at this list:

Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
11/10/2004 22:10:39,Virus scanner,Hacktool.Keygen.151552,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: E:\RECYCLED\De1.exe,Description: The file E:\RECYCLED\De1.exe is a Hack tool threat."
11/10/2004 22:10:39,Virus scanner,Adware.Binet,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\temp\lc.exe,Description: The compressed file lc.exe within C:\temp\lc.exe is a Adware threat."
11/10/2004 22:10:39,Virus scanner,Adware.Binet,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\temp\lc.exe,Description: The file C:\temp\lc.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Trojan Horse,Quarantined,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: C:\Program Files\Windows SyncroAd\WinSync.exe,Description: The file C:\Program Files\Windows SyncroAd\WinSync.exe is infected with the Trojan Horse virus."
11/10/2004 22:10:38,Virus scanner,Adware.BlazeFind,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Program Files\Windows SyncroAd\CComm.dll,Description: The file C:\Program Files\Windows SyncroAd\CComm.dll is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Hacktool.Keygen.151552,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: Symantec.Norton.Antivirus.2004.Professional.v10.0.0.109.WinAll.Incl.Keygenerator-TMG\keygen.exe,Description: The compressed file keygen.exe within C:\Program Files\eMule\incoming\ntnaivs.2004.Pro.Final.With.Crack.[oshrinu].[LioNetwork.net].rar is a Hack tool threat."
11/10/2004 22:10:38,Virus scanner,Adware.Purityscan,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\smaddar.PC-HOME\Application Data\ubeo.exe,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Application Data\ubeo.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.CDT,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temporary Internet Files\Content.IE5\I1ZS1KJM\lqx[1].htm,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temporary Internet Files\Content.IE5\I1ZS1KJM\lqx[1].htm is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.CDT,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temporary Internet Files\Content.IE5\VF9RBX0W\mtrslib2[1].js,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temporary Internet Files\Content.IE5\VF9RBX0W\mtrslib2[1].js is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.NetOptimizer,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temporary Internet Files\Content.IE5\35H0YQU5\optimize[1].exe,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temporary Internet Files\Content.IE5\35H0YQU5\optimize[1].exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.NetOptimizer,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\optimize.exe,Description: The file C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\optimize.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.Purityscan,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\Administrator\Application Data\ubeo.exe,Description: The file C:\Documents and Settings\Administrator\Application Data\ubeo.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.BlazeFind,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OP2FSHUJ\CComm[1].dll,Description: The file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OP2FSHUJ\CComm[1].dll is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.CDT,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: MediaTicketsInstaller.ocx,Description: The compressed file MediaTicketsInstaller.ocx within C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OP2FSHUJ\MediaTicketsInstaller[1].cab is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.CDT,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C9QZCL2R\mtrslib2[1].js,Description: The file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C9QZCL2R\mtrslib2[1].js is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Trojan Horse,Quarantined,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe,Description: The file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe is infected with the Trojan Horse virus."
11/10/2004 22:10:38,Virus scanner,Adware.CDT,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\lqx[1].htm,Description: The file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\lqx[1].htm is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.Purityscan,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\Documents and Settings\Default User\Application Data\ubeo.exe,Description: The file C:\Documents and Settings\Default User\Application Data\ubeo.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.Binet,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\WINNT\preInMPP.exe,Description: The file C:\WINNT\preInMPP.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.Binet,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\WINNT\preInsln.exe,Description: The file C:\WINNT\preInsln.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.Binet,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\WINNT\Temp\THI453D.tmp\preInMPP.exe,Description: The file C:\WINNT\Temp\THI453D.tmp\preInMPP.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Adware.Binet,Delete failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: AdwareSource: C:\WINNT\Temp\THI5747.tmp\preInsln.exe,Description: The file C:\WINNT\Temp\THI5747.tmp\preInsln.exe is a Adware threat."
11/10/2004 22:10:38,Virus scanner,Hacktool.HideWindow,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: C:\WINNT\system32\q45d4e5\sxe429.tmp,Description: The file C:\WINNT\system32\q45d4e5\sxe429.tmp is a Hack tool threat."
11/10/2004 22:10:38,Virus scanner,Hacktool.HideWindow,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: C:\WINNT\system32\q45d4e5\sxe425.tmp,Description: The file C:\WINNT\system32\q45d4e5\sxe425.tmp is a Hack tool threat."
11/10/2004 22:10:38,Virus scanner,Hacktool.HideWindow,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: C:\WINNT\system32\q45d4e5\sxe420.tmp,Description: The file C:\WINNT\system32\q45d4e5\sxe420.tmp is a Hack tool threat."
11/10/2004 22:10:38,Virus scanner,Hacktool.HideWindow,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: C:\WINNT\system32\q45d4e5\sxe41F.tmp,Description: The file C:\WINNT\system32\q45d4e5\sxe41F.tmp is a Hack tool threat."
11/10/2004 22:10:38,Virus scanner,Hacktool.HideWindow,Manually deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: Hack toolSource: C:\WINNT\system32\q45d4e5\sxe41E.tmp,Description: The file C:\WINNT\system32\q45d4e5\sxe41E.tmp is a Hack tool threat."
11/10/2004 21:36:47,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WINSYNC.EXE
11/10/2004 21:36:47,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WINSYNC.EXE
11/10/2004 21:36:47,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WINSYNC.EXE
11/10/2004 21:36:46,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WINSYNC.EXE
11/10/2004 21:36:46,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 21:36:46,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 21:36:45,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 21:36:45,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 20:08:32,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 20:08:32,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 19:47:28,Virus scanner,W32.Netsky.D@mm,Automatically deleted,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,",Threat category: VirusSource: document_word.pif,Description: The email attachment document_word.pif is infected with the [email="W32.Netsky.D@mm"]W32.Netsky.D@mm[/email] virus."
11/10/2004 18:03:27,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 18:03:27,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 18:03:26,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 18:03:26,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 17:35:15,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WINSYN~1.EXE
11/10/2004 17:35:15,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WINSYN~1.EXE
11/10/2004 17:35:14,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WINSYN~1.EXE
11/10/2004 17:35:14,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WINSYN~1.EXE
11/10/2004 17:35:14,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe
11/10/2004 17:35:13,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe
11/10/2004 17:35:13,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe
11/10/2004 17:35:13,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe
11/10/2004 17:21:27,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe
11/10/2004 17:21:26,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\0DYNWTAR\WinSync[1].exe
11/10/2004 15:26:21,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 15:26:21,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 15:06:44,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 15:06:44,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,smaddar,PC-HOME,Source: C:\Program Files\Windows SyncroAd\WinSync.exe
11/10/2004 14:54:26,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200410060020,10.0.1.13,Administrator,PC-HOME,Source: C:\WINNT\ChAoS.exe
11/10/2004 14:54:25,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200410060020,10.0.1.13,Administrator,PC-HOME,Source: C:\WINNT\ChAoS.exe


So, here is the best part. A new HJT:

Logfile of HijackThis v1.98.2
Scan saved at 23:09:28, on 11/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\smaddar.PC-HOME\Application Data\ubeo.exe
C:\Windows\system32\msrr\msrr.exe
C:\dls\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [qsgukrh] C:\WINNT\system32\zenjchve.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winfex32.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [msbricks] C:\Windows\system32\msrr\msrh.exe C:\Windows\system32\msrr\msrr.exe
O4 - HKLM\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\RunOnce: [LRPatch] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LRPatch.exe" /RUN
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Snpw] C:\Documents and Settings\smaddar.PC-HOME\Application Data\ubeo.exe
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=771aab6407e17cd246b004e5ead7108eb8dcf063dc6b72823084f634e85247620f8876e5c718c2d0a1bb170a7006cb02f30bd52db83cd8ff38d3fb72d88b5ced:bcbeac9adb4287dd435f5ab0907ede44
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB


Are we going to win this war?

0

Where are you getting all this stuff? Looks like that scan was done in safe mode? These processes should be running:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe

Reboot normally & rescan with HJT & post that log please.

0

It was not in safe mode. It was the log after reboot normally.
But here, I've tried again:

Logfile of HijackThis v1.98.2
Scan saved at 20:16:19, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\smaddar.PC-HOME\Application Data\ubeo.exe
C:\Windows\system32\msrr\msrr.exe
C:\dls\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [qsgukrh] C:\WINNT\system32\zenjchve.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winfex32.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [msbricks] C:\Windows\system32\msrr\msrh.exe C:\Windows\system32\msrr\msrr.exe
O4 - HKLM\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\RunOnce: [LRPatch] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LRPatch.exe" /RUN
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\smaddar.PC-HOME\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Snpw] C:\Documents and Settings\smaddar.PC-HOME\Application Data\ubeo.exe
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=771aab6407e17cd246b004e5ead7108eb8dcf063dc6b72823084f634e85247620f8876e5c718c2d0a1bb170a7006cb02f30bd52db83cd8ff38d3fb72d88b5ced:bcbeac9adb4287dd435f5ab0907ede44
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB

Why me? What have I done wrong?
Is there still hope?

0

The processes that Crunchie listed in his last post would normally be running as long as you were not in safe mode. That's why he asked if you were in safe mode....that's an awful short list of running processes in your hjt log.

0

The log I sent before was as a user.
Here is a new log, as administrator this time:

Logfile of HijackThis v1.98.2
Scan saved at 20:30:33, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Windows\system32\msrr\msrr.exe
C:\dls\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [qsgukrh] C:\WINNT\system32\zenjchve.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winfex32.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [msbricks] C:\Windows\system32\msrr\msrh.exe C:\Windows\system32\msrr\msrr.exe
O4 - HKLM\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [Snpw] C:\Documents and Settings\Administrator\Application Data\ubeo.exe
O4 - HKCU\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=771aab6407e17cd246b004e5ead7108eb8dcf063dc6b72823084f634e85247620f8876e5c718c2d0a1bb170a7006cb02f30bd52db83cd8ff38d3fb72d88b5ced:bcbeac9adb4287dd435f5ab0907ede44
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB

Does it help?

0

That looks much more like what he was expecting to see I'm sure. :) Wish I could be more help, but I'm still learning, so I'll leave Crunchie or one of the other experts to hand out advice on your log. Good luck. :)

0

A new and interesting message I've got:

16 bit MS-DOS Subsystem

c:\Windows\system32\deltree.exe
c:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications.
Choose 'Close' to terminate the application.

0

Uninstall Windows Syncroad from add\remove programs.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [qsgukrh] C:\WINNT\system32\zenjchve.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winfex32.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [msbricks] C:\Windows\system32\msrr\msrh.exe C:\Windows\system32\msrr\msrr.exe
O4 - HKCU\..\Run: [Snpw] C:\Documents and Settings\Administrator\Application Data\ubeo.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...35f5ab0907ede44
-Blazefind Windupdates Adware
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
-MediaTickets Installer

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\Program Files\Windows SyncroAd-folder
C:\Program Files\ISTsvc-folder
C:\Program Files\Internet Optimizer-folder
C:\Program Files\Power Scan-folder
C:\Windows\system32\msrr-folder

C:\WINNT\system32\zenjchve.exe-file
C:\winnt\system32\winfex32.exe-file
C:\Documents and Settings\Administrator\Application Data\ubeo.exe-file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Do the same for every account on this computer.

Reboot normally after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

0

Thank you, Crunchie

Here is a new log, (as administrator):

Logfile of HijackThis v1.98.2
Scan saved at 14:56:56, on 13/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\wuauclt.exe
C:\dls\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKCU\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB

0

As I deleted some more temporary files, I send a new log:

Logfile of HijackThis v1.98.2
Scan saved at 04:42:14, on 14/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\dls\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\הפוך על הפוך\hebrew
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O4 - HKCU\..\RunServices: [INFO DATA] c:\winnt\system32\q45d4e5\repcale.exe c:\winnt\system32\q45d4e5\apc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &יצ ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB

0

Thank you, Cranchie.
That was an interesting tour.

I believe we'll meet again.

:)

0

Half of the programs still don't work. I can't update the WMI Update in Norton AV, even though I uninstalled it and reinstalled it. If I enter in the administrator setting, I can do nothing at all, even not writing here.
So it's wonderfull to have a clean computer, but it's not enough.
By the way, I keep having red massages from Norton that viruses were found, like this one:
Source: C:\WINNT\system32\wssdsfgsd.exe
Click for more information about this threat : W32.Spybot.Worm
I just have a feeling that it's better to format the computer. What do you think?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.