Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

nightmare with malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

nightmare with malware

Unread postby jimbojet » September 1st, 2007, 1:57 pm

Hello folks

I can't seem to rid myself of a very pernicious little beast. Whenever I boot up, I almost immediately see Norton Antivirus going mad, flooding me with messages to tell me that the e-mails I'm sending are being blocked, have not been accepted, etc. So I'm clearly being used as a spammer. Norton itself says I'm clean, AdWare and Spybot found a few tracker cookies, and Trojan Hunter found Generic.Winrardrop.B and quarantined it but still the e-mails keep flying out. Here's my HiJack This log, and I would be grateful beyond words if you could lend me a hand.

Thanks

Jim

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:45:51, on 01/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hijack This\scanner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... -online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3961704303
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - http://www.fnacmusic.com/telechargement ... posant.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Service de configuration Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 12575 bytes
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche
Advertisement
Register to Remove

Unread postby Bob4 » September 3rd, 2007, 7:02 am

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.



Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!




______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

If you do not recognize this site of this file please have HJT fix it.

O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - <http://www.fnacmusic.com/telechargementFnacmusic/FnacComposant.cab>




_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\Drivers\SECEDIT.EXE


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html








______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


AVG Anti-Spyware:
________________________________________
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).



    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    • Open up AVG anti Malware

Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot in normal mode.


_______________________________________



_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from AVG anti Malware
  • The report from Jottis/Virus total

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby jimbojet » September 3rd, 2007, 2:41 pm

Thanks

Right, first of all, the new HJT log following what you asked me to do:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:32:46, on 03/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijack This\scanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... -online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3961704303
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - http://www.fnacmusic.com/telechargement ... posant.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Service de configuration Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 12566 bytes



Second, you asked me to send upload SECEDIT. exe to jotti, which I did, although despite the file appearing in the HJT log, it doesn't appear to be on the computer

File: SECEDIT.EXE
Status:
OK
MD5: f7bed38b1960e6a1b48825a9ca50ba79
Packers detected:
-
Bit9 reports: File not found


Scan taken on 03 Sep 2007 12:48:43 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Finally, you requested the AVG Antispyware log, here:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:18:40 03/09/2007

+ Scan result:



:mozilla.42:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.66:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.32:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Co : Cleaned.
:mozilla.118:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.37:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.38:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.41:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.9:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.55:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Estat : Cleaned.
:mozilla.93:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.94:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.33:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.23:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.24:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.26:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.27:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.31:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.105:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.106:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.107:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.111:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.20:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.44:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.127:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.128:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.129:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.130:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.131:C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end



Many thanks once again.

Best

Jim
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby Bob4 » September 3rd, 2007, 4:02 pm

Second, you asked me to send upload SECEDIT. exe to jotti, which I did,
although despite the file appearing in the HJT log, it doesn't appear to be on the computer


It's on your computer. Some files are hidden by both windows (for your protection) and malware (for it's protection).
I can find it if we need too! Looks to be a safe file as I have done some other checking around. Don't give up hope though. We'll find the culprit. ;)



______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).



_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer



The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby jimbojet » September 4th, 2007, 2:56 am

OK, Kaspersky found a bunch of stuff, report below. Can I say thanks again, or do you get bored of people saying that? :lol:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 04, 2007 8:54:19 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/09/2007
Kaspersky Anti-Virus database records: 403200
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 80559
Number of viruses found: 2
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 03:13:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06282007-092611.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-09-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1E40ADB4.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3B67D9EC.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet Files\Content.IE5\FH9AZXFD\index[1].htm Infected: Trojan-Downloader.JS.IESlice.c skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\cert8.db Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\formhistory.dat Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\history.dat Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\key3.db Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\parent.lock Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\search.sqlite Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavli ... /[From "BB&T" <clientservice_94678098464ib@bbt.com>][Date Tue, 27 Feb 2007 13:29:55 +0100 ( ... /UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavli ... /[From "BB&T" <clientservice_94678098464ib@bbt.com>][Date Tue, 27 Feb 2007 13:29:55 +0100 (CET)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[F ... /[From Jacob I Lee <jacoblee@CSUFRESNO.EDU>][Date Mon, 26 Feb 2007 11:10:24 -0800]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[F ... / ... /[From "Newton Branch" <lezerosive@9cy.com>][Date Fri, 2 Mar 2007 19:20:57 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[F ... /[From Jacob I Lee <jacoblee@CSUFRESNO.EDU>][Date Mon, 26 Feb 2007 10:10:29 -0800]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LIN ... /[From ... /[From rousseau@abbaye-tradweb.com][Date 26 Feb 2007 19:02:22 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LIN ... /[From "Alonzo Cohen" <cnixx@yelucie.com>][Date Mon, 26 Feb 2007 18:01:59 -0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LINGUIST Network <lingui ... /[From luxun@icilabas.com][Date 26 Feb 2007 18:53:26 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Sun, 25 Feb 2007 23:57:25 -0500]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik <Anthropmor@AOL.COM>][Date Mon, 26 Feb 2007 09:41:45 EST]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Copie de Inbox Mail Berkeley mbox: infected - 14 skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavli ... /[From "BB&T" <clientservice_94678098464ib@bbt.com>][Date Tue, 27 Feb 2007 13:29:55 +0100 ( ... /UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavli ... /[From "BB&T" <clientservice_94678098464ib@bbt.com>][Date Tue, 27 Feb 2007 13:29:55 +0100 (CET)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[F ... /[From Jacob I Lee <jacoblee@CSUFRESNO.EDU>][Date Mon, 26 Feb 2007 11:10:24 -0800]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[F ... / ... /[From "Newton Branch" <lezerosive@9cy.com>][Date Fri, 2 Mar 2007 19:20:57 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[F ... /[From Jacob I Lee <jacoblee@CSUFRESNO.EDU>][Date Mon, 26 Feb 2007 10:10:29 -0800]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LIN ... /[From ... /[From rousseau@abbaye-tradweb.com][Date 26 Feb 2007 19:02:22 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LIN ... /[From "Alonzo Cohen" <cnixx@yelucie.com>][Date Mon, 26 Feb 2007 18:01:59 -0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LINGUIST Network <lingui ... /[From luxun@icilabas.com][Date 26 Feb 2007 18:53:26 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik ... /[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Sun, 25 Feb 2007 23:57:25 -0500]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text/[From Mike Pavlik <Anthropmor@AOL.COM>][Date Mon, 26 Feb 2007 09:41:45 EST]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED/[From Emilie L'Hote <lhote_emilie@hotmail.com>][Date Thu, 7 Dec 2006 11:14:23 +0100]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED/[From "gigi" <gigi@ttcasia.com>][Date Thu, 7 Dec 2006 13:03:18 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text/[From Aude Lesimple <Aude.Lesimple@univ-lyon2.fr>][Date Wed, 06 Dec 2006 16:23:55 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox/[From LINGUIST Network <linguist@LINGUISTLIST.ORG>][Date Tue, 21 Nov 2006 14:52:42 -0500]/text Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\NEC\Application Data\Thunderbird\Profiles\mu6m1f06.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 14 skipped
C:\Documents and Settings\NEC\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbdam Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbdao Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbeam Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbeao Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbm Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\fii.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\fiih.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\hp Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\rpm.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Google\Google Desktop\8276f565e0c3\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3tyblhw.Jim\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Temp\~DF4743.tmp Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\NEC\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NEC\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NEC\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Fichiers communs\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP180\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C9ABFB71-EEC1-4F4A-B23C-8148F5CE9B1F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xpdx.sys Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby Bob4 » September 4th, 2007, 12:34 pm

Looks as if somethings got in through your email .

I'm not extremely familiar with thunder bird. But here's what I want you to do.
Open thunder bird.
Look in your in box for this Email.

From :
Aude Lesimple

Dated

:Tue, 21 Nov 2006....

Delete it.
____________________
Open Copie de Inbox from within thunderBird.

Look for the same Email and delete it.

Go to your deleted folder in thunder Bird and permanently delete both of those.

If you DO NOT recognize this Person or Email address delete anything you have from Aude Lesimple



___________________________________
Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD

Navigate to

C:\Documents and Settings\Cathy\Local Settings\Temporary Internet Files

I want you to delete everything in there. Let me know if something doesn't get deleted.

If you need help doing this:

On top of that window choose edit/ select all Then choose file /delete. Agree to the confirmation do you want to send ** file to the recycle bin.
Then go and empty the recycle bin.

______________________________________


Lets get another scan.

1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply . (c:\Combofix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Combo fix
  • Let me know you were able to completely empty the temp internet file folder
  • Is Norton's still warning you ???

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby jimbojet » September 6th, 2007, 3:51 am

Sorry to have been a little late getting back:

First, here's the latest HJT log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:13:34, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\Program Files\Hijack This\scanner.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... -online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3961704303
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - http://www.fnacmusic.com/telechargement ... posant.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Service de configuration Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 12493 bytes


Second, the Combo fix log

ComboFix 07-08-30.3 - "NEC" 2007-09-05 0:58:34.2 - NTFSx86
Microsoft Windows XP Â
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby Bob4 » September 6th, 2007, 7:18 am

It looks like you have been infected by a backdoor trojan. RustockB.

http://www.symantec.com/security_respon ... 13-1305-99

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.

___________________________




Download RustBFix from one of the following locations...
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (C:\avenger.txt & C:\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.



___________________________________
Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD

C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2


_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\system32\bdod.bin



Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html



_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Rustock fix
  • The report from Jottis/Virus total
  • Let me know you were able to remove those 3 files .


User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby jimbojet » September 6th, 2007, 8:53 am

Hi

My first reply doesn't seem to have gone through, my apologies if I'm repeating myself. Just before I go ahead with what you've asked, a little question if I may. The infected machine we're working on is a laptop which I use in a home wireless network along with my desktop. The desktop Norton hasn't ever gone mad, but given the seriousness of the infection you've spotted, should I be getting worried about the desktop?

In the meantime, I shall get on trying to re-do all my passwords (God help me...).

Thanks

Jim
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby Bob4 » September 6th, 2007, 11:23 am

The infection itself is not a network installed. So no reason to panic about your desktop.
When we are done with your lap top you can by all means post a new topic for the desktop. And this should be done as a new topic.
But please let's get the lap top first. Other wise things may become confusing. This infection is fairly easily removed with the fixes I have asked you to use.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby jimbojet » September 6th, 2007, 11:58 am

OK, let's go with trying to fix this thing rather than re-formatting the whole shebang. Here's what you asked for:

* A new HJT log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:55:12, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... -online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3961704303
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - http://www.fnacmusic.com/telechargement ... posant.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Service de configuration Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 12486 bytes


* The report from Rustock fix

C:\WINDOWS\system32
No streams found.

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
06/09/2007 17:41:51,87

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

* The report from Jottis/Virus total

File: bdod.bin_
Status:
OK
MD5: aff2483458ccd8f2848d587059a36d54
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 06 Sep 2007 15:46:04 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


* Let me know you were able to remove those 3 files .

Yes, I was. For info, there was a ihhkj.ini2 and a ihhkj.tmp

Best

Jim
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby jimbojet » September 6th, 2007, 12:53 pm

As an addendum to what I've just written - I apparently bought a little over €2000 worth of Italian railway tickets on Sunday... I had a look at my account on line after your warning. So there's something else for me to sort out...

Best

A temporarily poorer Jim
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby Bob4 » September 6th, 2007, 3:11 pm

Ok everything is looking OK at this point.
The infection we found.
Rustock B is now targeted by Combofix. So it took it out quickly.
That explains why RustockB fix didn't find anything.



You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6u2
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.



Please post another HJT log and let me know how things are running.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby jimbojet » September 6th, 2007, 6:45 pm

** Please post another HJT log and let me know how things are running.

Things are very smooth. I booted up and left the machine for an hour, and there seems to be no activity, and Norton is dozing quietly. Here's the latest HJT

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:29:22, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= ... -online.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-online.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SECEDIT] C:\Drivers\SECEDIT.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3961704303
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - http://www.fnacmusic.com/telechargement ... posant.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Service de configuration Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 12430 bytes


Best

Jim
jimbojet
Regular Member
 
Posts: 24
Joined: September 1st, 2007, 1:48 pm
Location: St ALban deRoche

Unread postby Bob4 » September 10th, 2007, 3:25 pm

Sorry it took so long for me to get back with you. I wasn't notified by email of your reply.


Did you delete these files as I asked ?

C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2


Please let me know.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware