Post by: vguitoune on May 15, 2005, 01:15:45 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> that avg can't defeat /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> . i hope u could help me getting rid of it /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> here is my hijackthis that i eventually managed to launch from the safe mode(hard to get in this mode to with this trojan running)
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> Logfile of HijackThis v1.99.1
Scan saved at 19:48:37, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\guitoune\Bureau\telechargements\logiciels\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/ (http://\"http://www.free.fr/search/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/ (http://\"http://home.free.fr/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ (http://\"http://home.free.fr/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Ludo\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\Run: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\RunServices: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] rundlI32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] rundlI32.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: BCDCPlusPlus.exe.lnk = C:\Documents and Settings\guitoune\BCDC++\DCPlusPlus.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fr/filesharingctrl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O18 - Filter: text/html - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
O18 - Filter: text/plain - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
i hope this will be enough for u to find a way to help me.
thank you for reading and answering to me
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on May 15, 2005, 01:33:10 PM
Download and UNZIP to desktop Export2.zip
So you now have Export2.bat on the desktop
We'll need this later
Export2.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=225\")
==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
==Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Before running you may want to disable Norton's autoprotect, so it won't get in the way
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
After posting the log from escan's Mwav scan
Could you do the following
Ensure your in Safe mode
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Post the log back here
Could you also Double click on Export2.bat on your desktop or wherever you unzipped Export2.bat too
IF a text file is placed on the desktop or in the same folder as export2.bat by the name of Export.txt
Could you copy and paste that info back here
Post by: vguitoune on May 15, 2005, 03:21:49 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> .here is the log from mwav scan. i think i forgot to menyion that avg detected the collected.5.L trojan in a file called msdirectx.sys, and of course, deleting this file doesnt change anything
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> .File C:\WINDOWS\system32\rundlI32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action
Taken.
File C:\WINDOWS\system32\icqjdhs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action
Taken.
File C:\WINDOWS\system32\winDLL32.exe infected by "Trojan-Downloader.Win32.Agent.mg" Virus. Action Taken: No
Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System
Found infected by "Gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by
"cws.blank Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "gator
Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "CoolWebSearch Spyware/Adware"
Virus. Action Taken: No Action Taken.
File System Found infected by "CoolWebSearch Spyware/Adware" Virus. Action
Taken: No Action Taken.
File System Found infected by "Claria Spyware/Adware" Virus. Action Taken: No Action
Taken.
File C:\WINDOWS\dl-614.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action
Taken.
File C:\WINDOWS\System32\a.bat infected by "Trojan.BAT.Zapchast" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\qthumt.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\zyzgru.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\xckpisz.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\msnmsgr.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\iexplore.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\TFTP516 infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\winIogon.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\System32\csrs.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\13.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\a.bat infected by "Trojan.BAT.Zapchast" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\qthumt.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\zyzgru.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\xckpisz.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\msnmsgr.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\iexplore.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\TFTP516 infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\winIogon.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\system32\csrs.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File
C:\WINDOWS\dl-614.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File
File C:\Documents and Settings\guitoune\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No
Action Taken.
File C:\Documents and Settings\Ludo\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-770e497d.zip infected by
"Trojan-Downloader.Java.OpenConnection.aa" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers
communs\GMT\EGNSEngine.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File
C:\Program Files\Fichiers communs\GMT\GatorRes.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken:
No Action Taken.
File C:\Program Files\Fichiers communs\GMT\GatorStubSetup.exe infected by
"not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers
communs\CMEII\GFormCTM.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File
C:\Program Files\Fichiers communs\CMEII\GSvcMgr.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken:
No Action Taken.
File C:\Program Files\Fichiers communs\CMEII\GSvcSAP.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers
communs\CMEII\GDwldEng.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File
C:\Program Files\Fichiers communs\CMEII\GIocl.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken:
No Action Taken.
File C:\Program Files\Fichiers communs\CMEII\GIoclClient.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers
communs\CMEII\GMTProxy.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File
C:\Program Files\Fichiers communs\CMEII\GStore.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken:
No Action Taken.
File C:\Program Files\Fichiers communs\CMEII\GStoreServer.dll infected by
"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\Program
Files\Utilities\DivX_502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program
Files\AIDA32\aida32.exe tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program
Files\AIDA32\aida32.bin tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program
Files\AIDA32\aida_directx.dll tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program
Files\Softwin\BitDefender8\Quarantine\crssrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No
Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042859.dll
infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042861.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042863.dll infected by
"not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042868.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042870.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042875.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042876.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047014.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047017.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047023.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047024.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047025.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047026.exe infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047798.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047799.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047800.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047801.DLL infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047802.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047803.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047804.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047805.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047806.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047807.dll infected by "Trojan.Win32.StartPage.uz"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050237.dll infected by
"not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050239.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050240.exe infected by
"not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050242.dll infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050243.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050244.dll infected by
"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050246.dll infected by
"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050248.dll infected by
"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050249.dll infected by
"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090974.dll infected by
"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090975.dll infected by
"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090976.exe infected by
"not-a-virus:Porn-Dialer.Win32.ALifeDialer" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090979.dll infected by
"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090980.dll infected by
"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090981.dll infected by
"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090982.exe infected by "Backdoor.Win32.DSNX.05.a"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP122\A0094398.exe infected by
"Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113633.exe infected by
"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113634.dll infected by
"not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113635.exe infected by
"not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113636.dll infected by
"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113643.exe infected by "Trojan.Win32.KillAV.es"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113644.exe infected by
"not-a-virus:AdWare.Gator.7035" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP139\A0113999.sys infected by "Trojan.Win32.Rootkit.h"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP139\A0114020.sys infected by "Trojan.Win32.Rootkit.h"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114057.sys infected by "Trojan.Win32.Rootkit.h"
Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114063.exe infected by
"Trojan-Dropper.Win32.VB.fq" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114078.sys infected by "Trojan.Win32.Rootkit.h"
Virus. Action Taken: No Action Taken.
i wont be here tomorrow and the week, so i hope we can ha,dle this problem today
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> if it is not possible, i come back next week-end ^^.
Post by: guestolo on May 15, 2005, 03:25:44 PM
Also run Export2.bat>>It's important that you unzip this and let me know if a text file is created, if so post the contents back here
Post by: vguitoune on May 15, 2005, 03:25:50 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> and what is the export2.bat for?
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Post by: guestolo on May 15, 2005, 03:27:56 PM
Post by: vguitoune on May 15, 2005, 03:36:16 PM
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> (i want to mention that at one moment it was written that the he couldnt find the path for something, but dont remember what,sry
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> )C:\Documents and Settings\guitoune\Bureau\telechargements
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\MEMORY.DMP: XMDbegin pec2.xmd
C:\WINDOWS\MEMORY.DMP: XMDend pec2.xmd
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: vguitoune on May 15, 2005, 03:38:19 PM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Post by: guestolo on May 15, 2005, 04:03:36 PM
The way you pasted the scan results back will take a long time to go through
Are you altering it on purpose?
Please don't
Your going to have to give me some time to look it over
If you didn't alter the scan results
If you still have the scan results saved to a Notepad file
Can you open up the notepad file that you saved the MWAV scan results too and
Click FORMAT>>WORD WRAP
And then copy and paste the contents back here again
This shouldn't be the case as your Hijackthis log looks perfectly fine
Post by: vguitoune on May 15, 2005, 04:22:58 PM
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> should i make a second scan if i havent the entire log anymore?
Post by: guestolo on May 15, 2005, 04:30:59 PM
Can you do me one more favor please
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"
Then see if you can find this text file
C:\find.txt
If you find it can you copy and paste the contents back here
Also, Do the following
Go to Device Manager
(Right click My Computer > Hardware tab > device manager)
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx
Let me know if you find it
Post by: vguitoune on May 15, 2005, 04:38:05 PM
Post by: vguitoune on May 15, 2005, 04:40:48 PM
Post by: vguitoune on May 15, 2005, 04:42:14 PM
Post by: vguitoune on May 15, 2005, 04:48:04 PM
Post by: vguitoune on May 15, 2005, 05:09:43 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on May 15, 2005, 05:11:20 PM
Access your Control panel, Open the Java Icon, Under the general tab
Delete Files
==Download and save to Desktop
SpSeHjfix112.zip (http://\"http://www.derbilk.de/404.html\")
From that link
Unzip the contents, so you now have SpSeHjfix112.exe on your desktop
Please download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder
Please Save these instructions to a Notepad file and save it to your Desktop or a folder
Disconnect completely from the Internet
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Ludo\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\Run: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\RunServices: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] rundlI32.exe
O4 - HKCU\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKCU\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] rundlI32.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O18 - Filter: text/html - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
O18 - Filter: text/plain - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
To open a Notepad file
Go to START>>RUN>>type in notepad
Hit OK
Save this file
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
IMPORTANT>>All the file paths that I posted below, must remain that way in Notepad
Don't put any spaces between them
[color=\"purple\"]Killbox file paths between dotted lines[/color]
=========================================
C:\WINDOWS\system32\rundlI32.exe
C:\WINDOWS\system32\icqjdhs.exe
C:\WINDOWS\system32\winDLL32.exe
C:\WINDOWS\dl-614.exe
C:\WINDOWS\System32\a.bat
C:\WINDOWS\System32\qthumt.exe
C:\WINDOWS\System32\zyzgru.exe
C:\WINDOWS\System32\xckpisz.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\TFTP516
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\System32\csrs.exe
C:\13.exe
C:\Documents and Settings\guitoune\msdirectx.sys
C:\Program Files\Fichiers communs\GMT\EGNSEngine.dll
C:\Program Files\Fichiers communs\GMT\GatorRes.dll
C:\Program Files\Fichiers communs\GMT\GatorStubSetup.exe
C:\Program Files\Fichiers communs\CMEII\GFormCTM.dll
C:\Program Files\Fichiers communs\CMEII\GSvcMgr.dll
C:\Program Files\Fichiers communs\CMEII\GSvcSAP.dll
C:\Program Files\Fichiers communs\CMEII\GDwldEng.dll
C:\Program Files\Fichiers communs\CMEII\GIocl.dll
C:\Program Files\Fichiers communs\CMEII\GIoclClient.dll
C:\Program Files\Fichiers communs\CMEII\GMTProxy.dll
C:\Program Files\Fichiers communs\CMEII\GStore.dll
C:\Program Files\Fichiers communs\CMEII\GStoreServer.dll
==========================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart back to SAFE MODE, but stay disconnected from the Internet
In safe mode find and delete these folders if found
C:\Program Files\Fichiers communs\GMT <-folder
C:\Program Files\Fichiers communs\CMEII <-folder
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off or Restart the computer
==Run SpSeHjfix112.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
In Normal mode
Run Another scan with Mwav and copy and paste the findings back here
Don't alter it!!!
Post a fresh log from Normal mode with hijackthis
Also post the log from SpSeHjfix112.exe
Post by: vguitoune on May 15, 2005, 05:17:16 PM
Delete Files"
i cant see what you are qpeaking about there ^^
Post by: guestolo on May 15, 2005, 05:26:59 PM
Open the Java Icon
Post by: vguitoune on May 15, 2005, 05:58:06 PM
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> you have been really helpful to me
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> so really thank you
here is the SPSeHjFix.log
the mwav scan is running so it will take smth like one hour before i can post the its log here
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> (5/17/05 00:45:16) SPSeHjFix started v1.1.2
(5/17/05 00:45:16) OS: WinXP Service Pack 1 (5.1.2600)
(5/17/05 00:45:16) Language: français
(5/17/05 00:45:16) Win-Path: C:\WINDOWS
(5/17/05 00:45:16) System-Path: C:\WINDOWS\System32
(5/17/05 00:45:16) Temp-Path: C:\DOCUME~1\guitoune\LOCALS~1\Temp\
(5/17/05 00:45:35) Disinfection started
(5/17/05 00:45:35) Bad-Dll(IEP): c:\docume~1\ludo\locals~1\temp\se.dll
(5/17/05 00:45:35) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\diop.dll
(5/17/05 00:45:35) Searchassistant Uninstaller - Keys Deleted
(5/17/05 00:45:35) UBF: 7 - UBB: 2 - UBR: 20
(5/17/05 00:45:35) UBF: 7 - UBB: 2 - UBR: 20
(5/17/05 00:45:35) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\ludo\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/17/05 00:45:35) Stealth-String not found
(5/17/05 00:45:35) File added to delete: c:\windows\system32\diop.dll
(5/17/05 00:45:35) Reboot
(5/17/05 00:48:42) SPSeHjFix started v1.1.2
(5/17/05 00:48:42) OS: WinXP Service Pack 1 (5.1.2600)
(5/17/05 00:48:42) Language: français
(5/17/05 00:48:42) Win-Path: C:\WINDOWS
(5/17/05 00:48:42) System-Path: C:\WINDOWS\System32
(5/17/05 00:48:42) Temp-Path: C:\DOCUME~1\guitoune\LOCALS~1\Temp\
Post by: vguitoune on May 15, 2005, 06:07:03 PM
Logfile of HijackThis v1.99.1
Scan saved at 01:06:38, on 17/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\guitoune\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\guitoune\LOCALS~1\Temp\kavss.exe
C:\Documents and Settings\guitoune\Bureau\telechargements\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/ (http://\"http://www.free.fr/search/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/ (http://\"http://home.free.fr/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ (http://\"http://home.free.fr/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: BCDCPlusPlus.exe.lnk = C:\Documents and Settings\guitoune\BCDC++\DCPlusPlus.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fr/filesharingctrl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on May 15, 2005, 06:45:37 PM
Quote
here is the mwav hijackthis log
You posted SPSeHjFix and the hijackthis log
Post by: vguitoune on May 15, 2005, 09:39:44 PM
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Claria Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\guitoune\Mes documents\Downloads\NoKeyPatch.exe infected by "Trojan-Dropper.Win32.VB.fq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Ludo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-770e497d.zip infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus. Action Taken: No Action Taken.
File C:\Program Files\Utilities\DivX_502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\AIDA32\aida32.exe tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program Files\AIDA32\aida32.bin tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program Files\AIDA32\aida_directx.dll tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program Files\Softwin\BitDefender8\Quarantine\crssrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042859.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042861.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042863.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042868.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042870.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042875.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042876.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047014.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047017.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047023.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047024.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047025.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047026.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047798.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047799.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047800.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047801.DLL infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047802.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047803.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047804.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047805.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047806.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047807.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050237.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050239.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050240.exe infected by "not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050242.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050243.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050244.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050246.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050248.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050249.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090974.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090975.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090976.exe infected by "not-a-virus:Porn-Dialer.Win32.ALifeDialer" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090979.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090980.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090981.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090982.exe infected by "Backdoor.Win32.DSNX.05.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP122\A0094398.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113633.exe infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113634.dll infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113635.exe infected by "not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113636.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113643.exe infected by "Trojan.Win32.KillAV.es" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113644.exe infected by "not-a-virus:AdWare.Gator.7035" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114063.exe infected by "Trojan-Dropper.Win32.VB.fq" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114135.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114136.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114137.exe infected by "Trojan-Downloader.Win32.Agent.mg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114138.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114139.bat infected by "Trojan.BAT.Zapchast" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114140.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114141.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114142.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114143.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114144.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114145.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114146.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114147.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114149.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114150.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114151.exe infected by "not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114152.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114153.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114154.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114155.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114156.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114157.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114158.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114159.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114160.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
and really thx for all^^
Post by: guestolo on May 15, 2005, 10:22:29 PM
C:\Documents and Settings\guitoune\Mes documents\Downloads\NoKeyPatch.exe <-this file
C:\Documents and Settings\Ludo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-770e497d.zip <-file
After that
Can I have you do the following, you appear to be controlling Startup entries with msconfig, not that's there's anything wrong with that, but you may be hiding malicious activity
Can you go to START>>RUN>>type in msconfig
Hit OK
Under the General tab select NORMAL STARTUP
Apply it and Close
But don't restart the computer yet
Instead, come back here and do another scan with Hijackthis and post a fresh log
Post by: vguitoune on May 16, 2005, 09:17:51 AM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />c u soon
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: vguitoune on May 16, 2005, 09:20:38 AM
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Post by: guestolo on May 17, 2005, 12:08:55 AM
I won't be around on the Weekend as I'm going on the annual fishing trip with the guys
Post your log anyways when you can and I'll look at it when I get back, it would be best if you posted a log on Sunday, as that would give me the latest log of the weekend
I get back Sunday afternoon
Later
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Gone fishing
Post by: vguitoune on May 22, 2005, 12:23:50 PM
I wont be there this week neither (iam at home only week ends)
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />But i will come back friday in the afternoon.
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> See you soon.
Logfile of HijackThis v1.99.1
Scan saved at 19:20:33, on 22/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\guitoune\Bureau\telechargements\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/ (http://\"http://www.free.fr/search/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/ (http://\"http://home.free.fr/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/ (http://\"http://home.free.fr/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\guitoune\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\vxjx.exe
O4 - HKLM\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: BCDCPlusPlus.exe.lnk = C:\Documents and Settings\guitoune\BCDC++\DCPlusPlus.exe
O4 - Startup: DC++.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O4 - Startup: Anti-Pub.lnk = C:\Program Files\Antipub\antipub.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fr/filesharingctrl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\system32\macupdate.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe