hi everybody, i need your help in removing the win32/autorun.ABH worm from my laptop. i can't find anything about it... what happens is that everything works fine until i open "my computer" or the windows explorer, then my anti-virus NOD32 allerts me that a threat was found in D:/documents & settings/aviad/local settings/temp/ and each time its a different .tmp file. and it was triggered by D:/resycled/boot.com the result is that my CPU goes through the roof and my internet connection is shut off. i did all sorts of scans and even deleted the temp files but nothing helped, still when i open "my computer" it triggers the worm. please HELP... thx

Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

well, i did all you asked and the anti-malware program did find the problematic files but the problem remains the same... here is the log of Malwarebytes': Malwarebytes' Anti-Malware 1.30 Database version: 1321 Windows 5.1.2600 Service Pack 2 26/10/2008 15:31:31 mbam-log-2008-10-26 (15-31-31).txt Scan type: Quick Scan Objects scanned: 55147 Time elapsed: 8 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsservicesstartup (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: D:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: D:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. D:\Documents and Settings\Aviad\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Delete on reboot. and the log for HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:47:04, on 26/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe D:\Program Files\Intel\Wireless\Bin\EvtEng.exe D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe D:\Program Files\Broadcom\BACS\BPowMon.exe D:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe D:\WINDOWS\system32\FpLogonServ.exe D:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\MATLAB701\webserver\bin\win32\matlabserver.exe D:\Program Files\Eset\nod32krn.exe D:\WINDOWS\system32\nvsvc32.exe D:\Program Files\Lenovo\PM Driver\PMSveH.exe D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\WLTRYSVC.exe D:\WINDOWS\System32\bcmwltry.exe D:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe D:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe D:\WINDOWS\Explorer.exe D:\Program Files\Microsoft IntelliPoint\ipoint.exe D:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe D:\Program Files\Synaptics\SynTP\SynTPEnh.exe D:\WINDOWS\System32\WLTRAY.exe D:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe D:\WINDOWS\system32\RUNDLL32.exe D:\WINDOWS\RTHDCPL.exe D:\WINDOWS\AGRSMMSG.exe D:\Program Files\Notebook Hardware Control\nhc.exe D:\Program Files\Eset\nod32kui.exe D:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe D:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\RMClock\RMClock.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Internet Explorer\iexplore.exe D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Documents and Settings\Aviad\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [TPFNF7] D:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] D:\WINDOWS\System32\WLTRAY.exe O4 - HKLM\..\Run: [AzMixerSel] D:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [TPWAUDAP] D:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [IAAnotif] "D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [FingerPrintSoftware] "D:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SkyTel] SkyTel.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NotebookHardwareControl] "D:\Program Files\Notebook Hardware Control\nhc.exe" -quiet O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [PMHandler] D:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe O4 - HKLM\..\Run: [Ashampoo FireWall] "D:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY O4 - HKLM\..\RunServices: [System Information Manager] mslog.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RMClock] "D:\Program Files\RMClock\RMClockLauncher.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.exe (User 'Default user') O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Send to &Bluetooth Device... - D:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Translate with &Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm O8 - Extra context menu item: îâéáøéù ìòáøéú - C:\Program Files\EitanRousso\Gibrish2Heb.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\system32\msjava.dll O9 - Extra button: îç÷ø - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://ave.cvc.cervantes.es/home/as... O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win... O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2AE39148-E892-4E18-B24F-CE1ADB9EA14F}: NameServer = 194.90.1.5,212.143.212.143 O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: ATFUS - D:\WINDOWS\system32\FpWinLogonNp.dll O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - D:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - D:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: Broadcom Power monitoring service (BPowMon) - Broadcom Corp. - D:\Program Files\Broadcom\BACS\BPowMon.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - D:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - D:\WINDOWS\system32\FpLogonServ.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - D:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe O23 - Service: PMSveH - Lenovo - D:\Program Files\Lenovo\PM Driver\PMSveH.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.exe -- End of file - 10948 bytes

Looking better. Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Eset antivirus,Ashampoo FireWall and any antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

OK, here is the combofix log: ComboFix 08-10-25.01 - Aviad 10/26/2008 22:34:12.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1255.1.1033.18.589 [GMT 2:00] Running from: D:\Documents and Settings\Aviad\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active [COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf D:\Autorun.inf D:\Documents and Settings\Aviad\Local Settings\Temporary Internet Files\62E.tmp D:\Documents and Settings\Aviad\Local Settings\Temporary Internet Files\62F.tmp D:\Documents and Settings\Aviad\Local Settings\Temporary Internet Files\630.tmp D:\Documents and Settings\Aviad\Local Settings\Temporary Internet Files\SLC_Aviad.prx . ((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-26 20:40 22,528 ----a-w D:\WINDOWS\system32\drivers\nhcDriver.sys 2008-10-26 13:19 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware 2008-10-26 13:19 --------- d-----w D:\Documents and Settings\Aviad\Application Data\Malwarebytes 2008-10-26 13:19 --------- d-----w D:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-25 19:24 --------- d-----w D:\Program Files\iAlbumArt 2008-10-25 17:04 737,280 ----a-w D:\WINDOWS\iun6002.exe 2008-10-25 11:22 --------- d-----w D:\Program Files\eMule 2008-10-25 11:09 --------- d-----w D:\Program Files\Album Cover Art Downloader 2008-10-25 11:07 --------- d-----w D:\Documents and Settings\Aviad\Application Data\albumart 2008-10-22 14:10 38,496 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-22 14:10 15,504 ----a-w D:\WINDOWS\system32\drivers\mbam.sys 2008-10-22 12:42 --------- d-----w D:\Program Files\Bonjour 2008-10-22 09:57 --------- d-----w D:\Program Files\Apple Software Update 2008-10-21 17:54 --------- d-----w D:\Program Files\iTunes 2008-10-21 17:54 --------- d-----w D:\Program Files\iPod 2008-10-21 17:54 --------- d-----w D:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-21 17:52 --------- d-----w D:\Program Files\QuickTime 2008-10-21 17:52 --------- d-----w D:\Program Files\Common Files\Apple 2008-10-20 17:41 --------- d-----w D:\Documents and Settings\All Users\Application Data\Babylon 2008-10-18 15:41 --------- d-----w D:\Program Files\DirectVobSub 2008-10-11 11:57 --------- d-----w D:\Program Files\AoA Audio Extractor 2008-10-11 11:57 --------- d-----w D:\Documents and Settings\All Users\Application Data\TEMP 2008-10-01 11:01 32,000 ----a-w D:\WINDOWS\system32\drivers\usbaapl.sys 2008-09-01 13:29 --------- d-----w D:\Program Files\Unlocker 2008-09-01 13:27 --------- d-----w D:\Program Files\Windows Resource Kits 2008-08-28 10:04 333,056 ----a-w D:\WINDOWS\system32\drivers\srv.sys 2008-08-27 08:33 --------- d-----w D:\Program Files\SAS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360] "RMClock"="D:\Program Files\RMClock\RMClockLauncher.exe" [02/29/2008 05:26 PM 61440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/06/2007 01:52 AM 849280] "TPFNF7"="D:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [04/10/2007 03:03 AM 58416] "SynTPEnh"="D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/19/2006 02:51 PM 774233] "Broadcom Wireless Manager UI"="D:\WINDOWS\System32\WLTRAY.exe" [10/12/2006 04:28 PM 1282048] "AzMixerSel"="D:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [01/25/2006 06:45 PM 53248] "TPWAUDAP"="D:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [09/06/2006 04:38 PM 54824] "NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [08/24/2007 12:15 AM 8478720] "IAAnotif"="D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [10/03/2007 03:44 PM 178712] "FingerPrintSoftware"="D:\Program Files\Lenovo Fingerprint Software\fpapp.exe" [03/02/2007 06:32 AM 933888] "NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [08/24/2007 12:15 AM 81920] "NotebookHardwareControl"="D:\Program Files\Notebook Hardware Control\nhc.exe" [05/04/2007 02:33 AM 2629632] "nod32kui"="D:\Program Files\Eset\nod32kui.exe" [04/13/2008 09:58 AM 949376] "PMHandler"="D:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" [03/16/2007 04:26 AM 31840] "Ashampoo FireWall"="D:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" [04/05/2007 02:57 PM 3251800] "nwiz"="nwiz.exe" [08/24/2007 12:15 AM 1626112 D:\WINDOWS\system32\nwiz.exe] "SkyTel"="SkyTel.EXE" [05/16/2006 06:04 PM 2879488 D:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [01/30/2007 06:54 PM 16116224 D:\WINDOWS\RTHDCPL.exe] "AGRSMMSG"="AGRSMMSG.exe" [08/30/2006 04:40 PM 89542 D:\WINDOWS\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.exe" [08/04/2004 12:56 AM 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS] 02/27/2007 05:26 PM 131072 D:\WINDOWS\system32\FpWinlogonNp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 12/14/2006 11:06 AM 28672 D:\Program Files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 07/05/2007 02:52 PM 32768 D:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] backup=D:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] backup=D:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^Aviad^Start Menu^Programs^Startup^HotSync Manager.lnk] backup=D:\WINDOWS\pss\HotSync Manager.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] --a------ 10/22/2006 11:24 PM 620152 D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client] --a------ 12/13/2006 04:15 PM 2785256 D:\Program Files\Babylon\Babylon-Pro\Babylon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 12/22/2003 07:38 AM 241664 D:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 12/05/2003 02:41 PM 49152 D:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] --a------ 05/04/2004 04:21 PM 176128 D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05] --a------ 05/05/2004 07:17 AM 491520 D:\WINDOWS\system32\hphmon05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05] --a------ 04/01/2004 12:33 PM 49152 D:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 10/01/2008 06:57 PM 289576 D:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 07/09/2001 10:50 AM 155648 D:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 09/06/2008 03:09 PM 413696 D:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 11/19/2003 04:48 PM 32881 D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "D:\\Program Files\\iTunes\\iTunes.exe"= R1 ANC;ANC;D:\WINDOWS\system32\drivers\ANC.SYS [11/08/2005 09:27 AM 11520] R1 IBMTPCHK;IBMTPCHK;D:\WINDOWS\System32\Drivers\IBMBLDID.sys [04/02/2007 11:24 AM 4224] R1 PMHler;PMHler;D:\WINDOWS\system32\drivers\PMHler.sys [05/24/2006 10:48 AM 10240] R2 BPowMon;Broadcom Power monitoring service;D:\Program Files\Broadcom\BACS\BPowMon.exe [08/31/2006 05:04 PM 65536] R2 cpextender;Check Point SSL Network Extender;D:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [06/10/2007 03:48 PM 331870] R2 FingerprintServer;Fingerprint Server;D:\WINDOWS\system32\FpLogonServ.exe [01/19/2007 03:16 PM 61440] R2 FNF5SVC;Fn+F5 Service;D:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe [04/09/2007 10:24 AM 54832] R3 RTCore32;RTCore32;D:\Program Files\RMClock\RTCore32.sys [05/25/2005 08:39 AM 4608] R3 VNA;Check Point Virtual Network Adapter;D:\WINDOWS\system32\DRIVERS\vna.sys [06/10/2007 03:48 PM 110160] *Newly Created Service* - RTCORE32 . Contents of the 'Scheduled Tasks' folder 2008-10-24 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job - D:\Program Files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM] 2008-10-26 D:\WINDOWS\Tasks\HP Usg Daily.job - D:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [04/01/2004 12:33 PM] . - - - - ORPHANS REMOVED - - - - HKLM-RunServices-System Information Manager - mslog.exe MSConfigStartUp-System Information Manager - mslog.exe . ------- Supplementary Scan ------- . FireFox -: Profile - D:\Documents and Settings\Aviad\Application Data\Mozilla\Firefox\Profiles\wjj01jo1.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig FF -: plugin - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll FF -: plugin - D:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll FF -: plugin - D:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-26 22:40:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices System Information Manager = mslog.exe???????????????????????????????????????????????????????d scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide] "ImagePath"="\??\D:\DOCUME~1\Aviad\LOCALS~1\Temp\ASFWHide" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: D:\WINDOWS\system32\winlogon.exe -> D:\Program Files\Lenovo\HOTKEY\tphklock.dll PROCESS: D:\WINDOWS\system32\lsass.exe -> D:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll . r Running Proce . D:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe D:\Program Files\Intel\Wireless\Bin\EvtEng.exe D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe D:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe D:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe D:\Program Files\ESET\nod32krn.exe D:\WINDOWS\system32\nvsvc32.exe D:\Program Files\Lenovo\PM Driver\PMSveH.exe D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe D:\WINDOWS\system32\WLTRYSVC.exe D:\WINDOWS\system32\BCMWLTRY.exe D:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\MATLAB701\bin\win32\MATLAB.exe D:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe D:\WINDOWS\system32\rundll32.exe D:\Program Files\RMClock\RMClock.exe D:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 10/26/2008 22:44:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-26 20:44:42 Pre-Run: 33,760,710,656 bytes free Post-Run: 33,894,465,536 bytes free 211 --- E O F --- 2008-10-24 13:34:39

Your java is out of date and may have been exploited. Download the latest version of java from this link Java Click on the JRE 6 Update 10 download button. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version. Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Please run Esets online scanner from this link: ESET 1. Note: You will need to use Internet explorer for this scan 2. Tick the box next to YES, I accept the Terms of Use. 3. Click Start 4. When asked, allow the activex control to install 5. Click Start 6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked 7. Click Scan 8. Wait for the scan to finish 9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 10. Copy and paste that log in your next reply.

here is the log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3557 (20081026) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=406076a33e420f4fa4fc7d5d681eb32d # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-10-27 12:27:55 # local_time=2008-10-27 02:27:55 (+0200, Jerusalem Standard Time) # country="Israel" # osver=5.1.2600 NT Service Pack 2 # scanned=982725 # found=0 # scan_time=6055 # nod_component=NOD32MOD_WINNT_ENGLISH_BASE Build:0x11081627 (NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base) # nod_component=NOD32MOD_WINNT_ENGLISH_INET Build:0x11081627 (NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support) # nod_component=NOD32MOD_WINNT_ENGLISH_STANDARD Build:0x11081627 (NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component)