Author Topic: COLLECTED.5.L. trojan (Read 5698 times)

vguitoune · « **on:** May 15, 2005, 01:15:45 PM »

hi there. i have got a problem with this collected.5.l trojan

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> that avg can't defeat

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> . i hope u could help me getting rid of it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
here is my hijackthis that i eventually managed to launch from the safe mode(hard to get in this mode to with this trojan running)

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

Logfile of HijackThis v1.99.1
Scan saved at 19:48:37, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\guitoune\Bureau\telechargements\logiciels\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Ludo\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\Run: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\RunServices: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] rundlI32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SuperCopier.exe] C:\Program Files\SuperCopier\SuperCopier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] rundlI32.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: BCDCPlusPlus.exe.lnk = C:\Documents and Settings\guitoune\BCDC++\DCPlusPlus.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Filter: text/html - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
O18 - Filter: text/plain - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

i hope this will be enough for u to find a way to help me.
thank you for reading and answering to me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #1 on:** May 15, 2005, 01:33:10 PM »

Before we try any fixes can you do the following for me please
Download and UNZIP to desktop Export2.zip
So you now have Export2.bat on the desktop
We'll need this later
Export2.zip

==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

==Download this virus checker from eScan
Mwav.exe
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Before running you may want to disable Norton's autoprotect, so it won't get in the way
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

After posting the log from escan's Mwav scan

Could you do the following

Ensure your in Safe mode
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Post the log back here

Could you also Double click on Export2.bat on your desktop or wherever you unzipped Export2.bat too
IF a text file is placed on the desktop or in the same folder as export2.bat by the name of Export.txt
Could you copy and paste that info back here

vguitoune · « **Reply #2 on:** May 15, 2005, 03:21:49 PM »

hi again and thank you for being so fast to answer

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> .
here is the log from mwav scan. i think i forgot to menyion that avg detected the collected.5.L trojan in a file called msdirectx.sys, and of course, deleting this file doesnt change anything

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> .

File C:\WINDOWS\system32\rundlI32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action

Taken.
File C:\WINDOWS\system32\icqjdhs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action

Taken.
File C:\WINDOWS\system32\winDLL32.exe infected by "Trojan-Downloader.Win32.Agent.mg" Virus. Action Taken: No

Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System

Found infected by "Gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by

"cws.blank Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "gator

Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "CoolWebSearch Spyware/Adware"

Virus. Action Taken: No Action Taken.
File System Found infected by "CoolWebSearch Spyware/Adware" Virus. Action

Taken: No Action Taken.
File System Found infected by "Claria Spyware/Adware" Virus. Action Taken: No Action

Taken.
File C:\WINDOWS\dl-614.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action

Taken.
File C:\WINDOWS\System32\a.bat infected by "Trojan.BAT.Zapchast" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\qthumt.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\zyzgru.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\xckpisz.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\msnmsgr.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\iexplore.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\TFTP516 infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\winIogon.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\System32\csrs.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\13.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\a.bat infected by "Trojan.BAT.Zapchast" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\qthumt.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\zyzgru.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\xckpisz.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\msnmsgr.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\iexplore.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\TFTP516 infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\winIogon.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\system32\csrs.exe infected by "Backdoor.Win32.PoeBot.b" Virus. Action Taken: No Action Taken.
File

C:\WINDOWS\dl-614.exe infected by "Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File
File C:\Documents and Settings\guitoune\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No

Action Taken.
File C:\Documents and Settings\Ludo\Application

Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-770e497d.zip infected by

"Trojan-Downloader.Java.OpenConnection.aa" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers

communs\GMT\EGNSEngine.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File

C:\Program Files\Fichiers communs\GMT\GatorRes.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken:

No Action Taken.
File C:\Program Files\Fichiers communs\GMT\GatorStubSetup.exe infected by

"not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers

communs\CMEII\GFormCTM.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File

C:\Program Files\Fichiers communs\CMEII\GSvcMgr.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken:

No Action Taken.
File C:\Program Files\Fichiers communs\CMEII\GSvcSAP.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers

communs\CMEII\GDwldEng.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File

C:\Program Files\Fichiers communs\CMEII\GIocl.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken:

No Action Taken.
File C:\Program Files\Fichiers communs\CMEII\GIoclClient.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Fichiers

communs\CMEII\GMTProxy.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File

C:\Program Files\Fichiers communs\CMEII\GStore.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken:

No Action Taken.
File C:\Program Files\Fichiers communs\CMEII\GStoreServer.dll infected by

"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\Program

Files\Utilities\DivX_502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program

Files\AIDA32\aida32.exe tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program

Files\AIDA32\aida32.bin tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program

Files\AIDA32\aida_directx.dll tagged as not-a-virus:RiskWare.Tool.AIDA.3862. No Action Taken.
File C:\Program

Files\Softwin\BitDefender8\Quarantine\crssrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No

Action Taken.
File C:\System Volume Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042859.dll

infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042861.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042863.dll infected by

"not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042868.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042870.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042875.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP84\A0042876.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047014.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047017.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047023.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047024.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047025.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP87\A0047026.exe infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047798.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047799.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047800.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047801.DLL infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047802.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047803.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047804.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047805.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047806.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP91\A0047807.dll infected by "Trojan.Win32.StartPage.uz"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050237.dll infected by

"not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050239.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050240.exe infected by

"not-a-virus:AdWare.Gator.5112" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050242.dll infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050243.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050244.dll infected by

"not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050246.dll infected by

"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050248.dll infected by

"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP109\A0050249.dll infected by

"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090974.dll infected by

"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090975.dll infected by

"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090976.exe infected by

"not-a-virus:Porn-Dialer.Win32.ALifeDialer" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090979.dll infected by

"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090980.dll infected by

"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090981.dll infected by

"Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP121\A0090982.exe infected by "Backdoor.Win32.DSNX.05.a"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP122\A0094398.exe infected by

"Trojan-Downloader.Win32.Small.apv" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113633.exe infected by

"not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113634.dll infected by

"not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113635.exe infected by

"not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113636.dll infected by

"not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113643.exe infected by "Trojan.Win32.KillAV.es"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP138\A0113644.exe infected by

"not-a-virus:AdWare.Gator.7035" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP139\A0113999.sys infected by "Trojan.Win32.Rootkit.h"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP139\A0114020.sys infected by "Trojan.Win32.Rootkit.h"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114057.sys infected by "Trojan.Win32.Rootkit.h"

Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114063.exe infected by

"Trojan-Dropper.Win32.VB.fq" Virus. Action Taken: No Action Taken.
File C:\System Volume

Information\_restore{629BFA34-31AA-452C-B484-AA5E64422690}\RP140\A0114078.sys infected by "Trojan.Win32.Rootkit.h"

Virus. Action Taken: No Action Taken.

i wont be here tomorrow and the week, so i hope we can ha,dle this problem today

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
if it is not possible, i come back next week-end ^^.

guestolo · « **Reply #3 on:** May 15, 2005, 03:25:44 PM »

Go ahead and run Rkfiles.bat and post the log

Also run Export2.bat>>It's important that you unzip this and let me know if a text file is created, if so post the contents back here

vguitoune · « **Reply #4 on:** May 15, 2005, 03:25:50 PM »

the check from rkfiles is runnig for now

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
and what is the export2.bat for?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

guestolo · « **Reply #5 on:** May 15, 2005, 03:27:56 PM »

I'm checking on a registry key, so it's important that you run it and let me know if a text file is created

vguitoune · « **Reply #6 on:** May 15, 2005, 03:36:16 PM »

here is the rkfiles log

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
(i want to mention that at one moment it was written that the he couldnt find the path for something, but dont remember what,sry

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> )

C:\Documents and Settings\guitoune\Bureau\telechargements

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\MEMORY.DMP: XMDbegin pec2.xmd
C:\WINDOWS\MEMORY.DMP: XMDend pec2.xmd

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

vguitoune · « **Reply #7 on:** May 15, 2005, 03:38:19 PM »

the export2.bat didnt create any *.txt file anywhere on my pc. i made a search but couldnt find.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

guestolo · « **Reply #8 on:** May 15, 2005, 04:03:36 PM »

Do you still have the log file saved from the Mwav scan
The way you pasted the scan results back will take a long time to go through
Are you altering it on purpose?
Please don't

Your going to have to give me some time to look it over

If you didn't alter the scan results
If you still have the scan results saved to a Notepad file
Can you open up the notepad file that you saved the MWAV scan results too and
Click FORMAT>>WORD WRAP

And then copy and paste the contents back here again

This shouldn't be the case as your Hijackthis log looks perfectly fine

vguitoune · « **Reply #9 on:** May 15, 2005, 04:22:58 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> should i make a second scan if i havent the entire log anymore?

guestolo · « **Reply #10 on:** May 15, 2005, 04:30:59 PM »

Nope, just let me look over this log

Can you do me one more favor please

Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK

regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"

Then see if you can find this text file

C:\find.txt
If you find it can you copy and paste the contents back here

Also, Do the following
Go to Device Manager
(Right click My Computer > Hardware tab > device manager)
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx

Let me know if you find it

vguitoune · « **Reply #11 on:** May 15, 2005, 04:38:05 PM »

no find.txt file has been created o0

vguitoune · « **Reply #12 on:** May 15, 2005, 04:40:48 PM »

and i cant find msdirectx in non plug and play drivers

vguitoune · « **Reply #13 on:** May 15, 2005, 04:42:14 PM »

but there is a FILESpy thing there, is it something bad?

vguitoune · « **Reply #14 on:** May 15, 2005, 04:48:04 PM »

the msdirectx.sys file infecetd that avg detected is in my documents and settings folder:)

vguitoune · « **Reply #15 on:** May 15, 2005, 05:09:43 PM »

i am going to sleep now, but my lil brother will post the virus log information from the second scan when it is finished, i think in smth like half an hour or less. but he wont do much because he cant speak english well and he doesnt know many things about computers. so c u on next friday and thank you very much for everything you have done

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #16 on:** May 15, 2005, 05:11:20 PM »

Let's try the following

Access your Control panel, Open the Java Icon, Under the general tab
Delete Files

==Download and save to Desktop
SpSeHjfix112.zip
From that link
Unzip the contents, so you now have SpSeHjfix112.exe on your desktop

Please download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions to a Notepad file and save it to your Desktop or a folder
Disconnect completely from the Internet

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Ludo\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\Run: [ICQ Chat Service] icqjdhs.exe

O4 - HKLM\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\RunServices: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] rundlI32.exe
O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] rundlI32.exe

O4 - HKCU\..\Run: [Windows Network Controller] rundlI32.exe

O4 - HKCU\..\Run: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] rundlI32.exe

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O18 - Filter: text/html - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll
O18 - Filter: text/plain - {041934EC-7E9B-4CD2-B5F6-1A6B57B997B8} - C:\WINDOWS\System32\diop.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
To open a Notepad file
Go to START>>RUN>>type in notepad
Hit OK
Save this file

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
IMPORTANT>>All the file paths that I posted below, must remain that way in Notepad
Don't put any spaces between them

[color=\"purple\"]Killbox file paths between dotted lines[/color]
=========================================
C:\WINDOWS\system32\rundlI32.exe
C:\WINDOWS\system32\icqjdhs.exe
C:\WINDOWS\system32\winDLL32.exe
C:\WINDOWS\dl-614.exe
C:\WINDOWS\System32\a.bat
C:\WINDOWS\System32\qthumt.exe
C:\WINDOWS\System32\zyzgru.exe
C:\WINDOWS\System32\xckpisz.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\TFTP516
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\System32\csrs.exe
C:\13.exe
C:\Documents and Settings\guitoune\msdirectx.sys
C:\Program Files\Fichiers communs\GMT\EGNSEngine.dll
C:\Program Files\Fichiers communs\GMT\GatorRes.dll
C:\Program Files\Fichiers communs\GMT\GatorStubSetup.exe
C:\Program Files\Fichiers communs\CMEII\GFormCTM.dll
C:\Program Files\Fichiers communs\CMEII\GSvcMgr.dll
C:\Program Files\Fichiers communs\CMEII\GSvcSAP.dll
C:\Program Files\Fichiers communs\CMEII\GDwldEng.dll
C:\Program Files\Fichiers communs\CMEII\GIocl.dll
C:\Program Files\Fichiers communs\CMEII\GIoclClient.dll
C:\Program Files\Fichiers communs\CMEII\GMTProxy.dll
C:\Program Files\Fichiers communs\CMEII\GStore.dll
C:\Program Files\Fichiers communs\CMEII\GStoreServer.dll

==========================================

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart back to SAFE MODE, but stay disconnected from the Internet

In safe mode find and delete these folders if found
C:\Program Files\Fichiers communs\GMT <-folder
C:\Program Files\Fichiers communs\CMEII <-folder

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off or Restart the computer

==Run SpSeHjfix112.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode

In Normal mode
Run Another scan with Mwav and copy and paste the findings back here
Don't alter it!!!

Post a fresh log from Normal mode with hijackthis
Also post the log from SpSeHjfix112.exe

vguitoune · « **Reply #17 on:** May 15, 2005, 05:17:16 PM »

quote: "Access your Control panel, Open the Java Icon, Under the general tab
Delete Files"
i cant see what you are qpeaking about there ^^

guestolo · « **Reply #18 on:** May 15, 2005, 05:26:59 PM »

Go to START>>Control Panel
Open the Java Icon

vguitoune · « **Reply #19 on:** May 15, 2005, 05:58:06 PM »

i am back and the collected.5.l trojan has gone thanks to you

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />
you have been really helpful to me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
so really thank you
here is the SPSeHjFix.log
the mwav scan is running so it will take smth like one hour before i can post the its log here

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

(5/17/05 00:45:16) SPSeHjFix started v1.1.2
(5/17/05 00:45:16) OS: WinXP Service Pack 1 (5.1.2600)
(5/17/05 00:45:16) Language: français
(5/17/05 00:45:16) Win-Path: C:\WINDOWS
(5/17/05 00:45:16) System-Path: C:\WINDOWS\System32
(5/17/05 00:45:16) Temp-Path: C:\DOCUME~1\guitoune\LOCALS~1\Temp\
(5/17/05 00:45:35) Disinfection started
(5/17/05 00:45:35) Bad-Dll(IEP): c:\docume~1\ludo\locals~1\temp\se.dll
(5/17/05 00:45:35) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\diop.dll
(5/17/05 00:45:35) Searchassistant Uninstaller - Keys Deleted
(5/17/05 00:45:35) UBF: 7 - UBB: 2 - UBR: 20
(5/17/05 00:45:35) UBF: 7 - UBB: 2 - UBR: 20
(5/17/05 00:45:35) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\ludo\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/17/05 00:45:35) Stealth-String not found
(5/17/05 00:45:35) File added to delete: c:\windows\system32\diop.dll
(5/17/05 00:45:35) Reboot

(5/17/05 00:48:42) SPSeHjFix started v1.1.2
(5/17/05 00:48:42) OS: WinXP Service Pack 1 (5.1.2600)
(5/17/05 00:48:42) Language: français
(5/17/05 00:48:42) Win-Path: C:\WINDOWS
(5/17/05 00:48:42) System-Path: C:\WINDOWS\System32
(5/17/05 00:48:42) Temp-Path: C:\DOCUME~1\guitoune\LOCALS~1\Temp\

News:

Author Topic: COLLECTED.5.L. trojan (Read 5698 times)