« previous next »
Pages: 1 [2]

Author Topic: COLLECTED.5.L. trojan  (Read 5677 times)

Offline vguitoune

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #20 on: May 15, 2005, 06:07:03 PM »
here is the mwav hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 01:06:38, on 17/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\guitoune\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\guitoune\LOCALS~1\Temp\kavss.exe
C:\Documents and Settings\guitoune\Bureau\telechargements\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: BCDCPlusPlus.exe.lnk = C:\Documents and Settings\guitoune\BCDC++\DCPlusPlus.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #21 on: May 15, 2005, 06:45:37 PM »
Just waiting on the Mwav scan I take it
Quote
here is the mwav hijackthis log

You posted SPSeHjFix and the hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline vguitoune

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #22 on: May 15, 2005, 09:39:44 PM »
and now the mwav virus log information


File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Claria Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\guitoune\Mes documents\Downloads\NoKeyPatch.exe infected by "Trojan-Dropper.Win32.VB.fq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Ludo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-770e497d.zip infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus. Action Taken: No Action Taken.
File C:\Program Files\Utilities\DivX_502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\AIDA32\aida32.exe tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program Files\AIDA32\aida32.bin tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program Files\AIDA32\aida_directx.dll tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program Files\Softwin\BitDefender8\Quarantine\crssrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042859.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042861.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042863.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042868.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042870.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042875.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042876.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047014.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047017.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047023.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047024.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047025.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047026.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047798.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047799.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047800.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047801.DLL infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047802.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047803.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047804.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047805.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047806.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047807.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050237.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050239.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050240.exe infected by "not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050242.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050243.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050244.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050246.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050248.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050249.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090974.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090975.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090976.exe infected by "not-a-virus:Porn-Dialer.Win32.ALifeDialer" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090979.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090980.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090981.dll infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090982.exe infected by "Backdoor.Win32.DSNX.05.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP122\A0094398.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113633.exe infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113634.dll infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113635.exe infected by "not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113636.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113643.exe infected by "Trojan.Win32.KillAV.es" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113644.exe infected by "not-a-virus:AdWare.Gator.7035" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114063.exe infected by "Trojan-Dropper.Win32.VB.fq" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114135.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114136.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114137.exe infected by "Trojan-Downloader.Win32.Agent.mg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114138.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114139.bat infected by "Trojan.BAT.Zapchast" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114140.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114141.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114142.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114143.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114144.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114145.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114146.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114147.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114149.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114150.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114151.exe infected by "not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114152.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114153.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114154.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114155.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114156.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114157.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114158.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114159.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114160.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.





and really thx for all^^
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #23 on: May 15, 2005, 10:22:29 PM »
Can you navigate too, using Windows Explore and delete these 2 files

C:\Documents and Settings\guitoune\Mes documents\Downloads\NoKeyPatch.exe <-this file

C:\Documents and Settings\Ludo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-770e497d.zip <-file

After that

Can I have you do the following, you appear to be controlling Startup entries with msconfig, not that's there's anything wrong with that, but you may be hiding malicious activity

Can you go to START>>RUN>>type in msconfig
Hit OK

Under the General tab select NORMAL STARTUP
Apply it and Close
But don't restart the computer yet

Instead, come back here and do another scan with Hijackthis and post a fresh log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline vguitoune

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #24 on: May 16, 2005, 09:17:51 AM »
i cant do that for now because iam not at home anymore. i wont be back on my own computer before friday or saturday. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
c u soon http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Offline vguitoune

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #25 on: May 16, 2005, 09:20:38 AM »
of course i will do what you asked me it as soon as i am back http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #26 on: May 17, 2005, 12:08:55 AM »
I hope to hear from you soon, but myself
I won't be around on the Weekend as I'm going on the annual fishing trip with the guys

Post your log anyways when you can  and I'll look at it when I get back, it would be best if you posted a log on Sunday, as that would give me the latest log of the weekend

I get back Sunday afternoon
Later  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  Gone fishing
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline vguitoune

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
    • http://
COLLECTED.5.L. trojan
« Reply #27 on: May 22, 2005, 12:23:50 PM »
here is the hijack log after i turned the boot back to normal.
I wont be there this week neither (iam at home only week ends) http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
But i will come back friday in the afternoon.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
See you soon.

Logfile of HijackThis v1.99.1
Scan saved at 19:20:33, on 22/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SuperCopier\SuperCopier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\guitoune\Bureau\telechargements\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\guitoune\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\vxjx.exe
O4 - HKLM\..\Run: [MotherBoard Sounds] sounds.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: BCDCPlusPlus.exe.lnk = C:\Documents and Settings\guitoune\BCDC++\DCPlusPlus.exe
O4 - Startup: DC++.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O4 - Startup: Anti-Pub.lnk = C:\Program Files\Antipub\antipub.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\system32\macupdate.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
Logged
Pages: 1 [2]
« previous next »