6 réponses
* Restart the computer in safe mode (when the computer starts, press F8)
* Double click on SmitfraudFix.exe
* Select 2 and press Enter in the menu to remove the files responsible for the infection.
* When asked: Do you want to clean the registry? answer Y (yes) and press Enter to unlock the wallpaper and remove the registry keys of the infection.
* The fix will determine if the file wininet.dll is infected. When asked: Fix the infected file? answer Y (yes) and press Enter to replace the corrupted file.
* A restart may be required to complete the cleaning procedure. The report is located at the root of the system drive C:\rapport.txt
Then:
Download ComboFix from one of these links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
https://forospyware.com
http://www.geekstogo.com/forum/files/file/197-combofix-by-subs/
And importantly, save it on the desktop.
Before using ComboFix:
? Disconnect from the internet and close all running program windows.
? Temporarily disable only while using ComboFix, the real-time protection of your Antivirus and Antispyware, which may severely hinder the searching and cleaning process of the tool.
Once done, on your desktop double-click on Combofix.exe.
- Answer yes to the warning message, so the program can start scanning the PC.
/!\ During this step, do not use the PC and do not open any programs.
- At the end of the scan, ComboFix may need to restart the PC to finalize the disinfection/search, let it do so.
- A report will then open in Notepad, this report file Combofix.txt is automatically saved and stored at C:\Combofix.txt)
? Reactivate the real-time protection of your Antivirus and Antispyware before reconnecting to the internet.
? Go back to the forum, and copy and paste the entire content of C:\Combofix.txt into your next message.
--
**if I don't respond immediately, it's because I also have a job and a family**
* Double click on SmitfraudFix.exe
* Select 2 and press Enter in the menu to remove the files responsible for the infection.
* When asked: Do you want to clean the registry? answer Y (yes) and press Enter to unlock the wallpaper and remove the registry keys of the infection.
* The fix will determine if the file wininet.dll is infected. When asked: Fix the infected file? answer Y (yes) and press Enter to replace the corrupted file.
* A restart may be required to complete the cleaning procedure. The report is located at the root of the system drive C:\rapport.txt
Then:
Download ComboFix from one of these links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
https://forospyware.com
http://www.geekstogo.com/forum/files/file/197-combofix-by-subs/
And importantly, save it on the desktop.
Before using ComboFix:
? Disconnect from the internet and close all running program windows.
? Temporarily disable only while using ComboFix, the real-time protection of your Antivirus and Antispyware, which may severely hinder the searching and cleaning process of the tool.
Once done, on your desktop double-click on Combofix.exe.
- Answer yes to the warning message, so the program can start scanning the PC.
/!\ During this step, do not use the PC and do not open any programs.
- At the end of the scan, ComboFix may need to restart the PC to finalize the disinfection/search, let it do so.
- A report will then open in Notepad, this report file Combofix.txt is automatically saved and stored at C:\Combofix.txt)
? Reactivate the real-time protection of your Antivirus and Antispyware before reconnecting to the internet.
? Go back to the forum, and copy and paste the entire content of C:\Combofix.txt into your next message.
--
**if I don't respond immediately, it's because I also have a job and a family**
hello ;
Tree size is just for viewing the size of folders on your PC and nothing more!
1) download hijackthis here: hijackthis
this is a tool to diagnose your PC.
*.Save HJTInstall.exe to your desktop
*. Double-click on HJTInstall.exe to launch the program
*. By default, it will install to C:\Program Files\Trend Micro\HijackThis
*. Accept the license by clicking on the "I Accept" button
*. Choose the option "Do a system scan and save a log file"
*. Click on "Save log" to save the report that will open in Notepad
*. Click on "Edit -> Select All", then on "Edit -> Copy" to copy all the content of the report
*. Paste the report you just copied onto this forum
*. Do not fix any lines yet, this could prevent your PC from functioning correctly
tutorial generate a report
--
**if I don't respond right away, it's because I also have a job and a family**
Tree size is just for viewing the size of folders on your PC and nothing more!
1) download hijackthis here: hijackthis
this is a tool to diagnose your PC.
*.Save HJTInstall.exe to your desktop
*. Double-click on HJTInstall.exe to launch the program
*. By default, it will install to C:\Program Files\Trend Micro\HijackThis
*. Accept the license by clicking on the "I Accept" button
*. Choose the option "Do a system scan and save a log file"
*. Click on "Save log" to save the report that will open in Notepad
*. Click on "Edit -> Select All", then on "Edit -> Copy" to copy all the content of the report
*. Paste the report you just copied onto this forum
*. Do not fix any lines yet, this could prevent your PC from functioning correctly
tutorial generate a report
--
**if I don't respond right away, it's because I also have a job and a family**
but why put all this report and where?
So that I can analyze the report and for that you need to copy/paste it in your next response.
--
**if I don’t reply right away, it’s because I also have a job and a family**
Here is the analysis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:34, on 01/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ANTIVI~1\backweb\6588780\Program\SERVIC~1.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsgk32st.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\FSGK32.EXE
C:\Program Files\AntivirusFirewall\backweb\6588780\program\fsbwsys.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fssm32.exe
C:\Program Files\AntivirusFirewall\Common\FSMA32.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\AntivirusFirewall\Common\FSMB32.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntivirusFirewall\Common\FCH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsqh.exe
C:\Program Files\AntivirusFirewall\Common\FAMEH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsrw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AntivirusFirewall\FWES\Program\fsdfwd.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AntivirusFirewall\Common\FSM32.EXE
C:\Program Files\AntivirusFirewall\FSGUI\ispnews.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hpgs2wnf.exe
C:\PROGRA~1\WANADOO\TaskBarIcon.exe
C:\PROGRA~1\ANTIVI~1\ANTI-S~1\fsaw.exe
C:\Program Files\AntivirusFirewall\backweb\6588780\Program\fspex.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Toaster.exe
C:\PROGRA~1\Wanadoo\Inactivity.exe
C:\PROGRA~1\Wanadoo\PollingModule.exe
C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bruno\Bureau\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.orange.fr/portail
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~2.DLL
O2 - BHO: Help for Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\AntivirusFirewall\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\AntivirusFirewall\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\AntivirusFirewall\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\AntivirusFirewall\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [homepage.monitor.exe] C:\Program Files\Media-Codec\isamonitor.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Fast Search.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Antivirus Firewall.lnk = C:\Program Files\AntivirusFirewall\backweb\6588780\Program\fspex.exe
O8 - Extra context menu item: &Block this ad window - C:\Program Files\AntivirusFirewall\Anti-Spyware\blockpopups.htm
O9 - Extra button: Internet Explorer Protection - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\AntivirusFirewall\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menu item: Internet Explorer Protection... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\AntivirusFirewall\Anti-Spyware\ieshield.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menu item: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menu item: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {E49A9FCB-FAA9-4C1F-A1C1-54920DA2CCA4} - http://es6-scripts.dlv4.com/binaries/egauth4/egauth4_1052_FR_XP.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Antivirus Firewall (BackWeb Plug-in - 6588780) - Securitoo Portal - C:\PROGRA~1\ANTIVI~1\backweb\6588780\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\AntivirusFirewall\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\AntivirusFirewall\backweb\6588780\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\AntivirusFirewall\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\AntivirusFirewall\Common\FSMA32.EXE
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 9362 bytes
Good luck and thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:34, on 01/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ANTIVI~1\backweb\6588780\Program\SERVIC~1.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsgk32st.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\FSGK32.EXE
C:\Program Files\AntivirusFirewall\backweb\6588780\program\fsbwsys.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fssm32.exe
C:\Program Files\AntivirusFirewall\Common\FSMA32.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\AntivirusFirewall\Common\FSMB32.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntivirusFirewall\Common\FCH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsqh.exe
C:\Program Files\AntivirusFirewall\Common\FAMEH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsrw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AntivirusFirewall\FWES\Program\fsdfwd.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AntivirusFirewall\Common\FSM32.EXE
C:\Program Files\AntivirusFirewall\FSGUI\ispnews.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hpgs2wnf.exe
C:\PROGRA~1\WANADOO\TaskBarIcon.exe
C:\PROGRA~1\ANTIVI~1\ANTI-S~1\fsaw.exe
C:\Program Files\AntivirusFirewall\backweb\6588780\Program\fspex.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Toaster.exe
C:\PROGRA~1\Wanadoo\Inactivity.exe
C:\PROGRA~1\Wanadoo\PollingModule.exe
C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bruno\Bureau\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.orange.fr/portail
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~2.DLL
O2 - BHO: Help for Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\AntivirusFirewall\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\AntivirusFirewall\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\AntivirusFirewall\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\AntivirusFirewall\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [homepage.monitor.exe] C:\Program Files\Media-Codec\isamonitor.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Fast Search.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Antivirus Firewall.lnk = C:\Program Files\AntivirusFirewall\backweb\6588780\Program\fspex.exe
O8 - Extra context menu item: &Block this ad window - C:\Program Files\AntivirusFirewall\Anti-Spyware\blockpopups.htm
O9 - Extra button: Internet Explorer Protection - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\AntivirusFirewall\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menu item: Internet Explorer Protection... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\AntivirusFirewall\Anti-Spyware\ieshield.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menu item: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menu item: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {E49A9FCB-FAA9-4C1F-A1C1-54920DA2CCA4} - http://es6-scripts.dlv4.com/binaries/egauth4/egauth4_1052_FR_XP.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Antivirus Firewall (BackWeb Plug-in - 6588780) - Securitoo Portal - C:\PROGRA~1\ANTIVI~1\backweb\6588780\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\AntivirusFirewall\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\AntivirusFirewall\backweb\6588780\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\AntivirusFirewall\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\AntivirusFirewall\Common\FSMA32.EXE
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 9362 bytes
Good luck and thank you
re;)
Download smitfraudfix
Utility by S!Ri: Moe and balltrap34
Install it in the root of C: usage tutorial
Double click on the exe to decompress it and launch the fix.
Usage option 1 Search:
Double click on smitfraudfix.cmd
Select 1 to create a report of the files responsible for the infection.
Do not do anything else without our advice
Copy/paste the REPORT in your next reply to this post please.
Process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert issued by these antivirus programs.
help with images
--
**if I don't reply immediately, it's because I also have a job and a family **
Download smitfraudfix
Utility by S!Ri: Moe and balltrap34
Install it in the root of C: usage tutorial
Double click on the exe to decompress it and launch the fix.
Usage option 1 Search:
Double click on smitfraudfix.cmd
Select 1 to create a report of the files responsible for the infection.
Do not do anything else without our advice
Copy/paste the REPORT in your next reply to this post please.
Process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert issued by these antivirus programs.
help with images
--
**if I don't reply immediately, it's because I also have a job and a family **
here is the continuation ...
SmitFraudFix v2.399
Report made at 19:53:41.77, 04/03/2009
Executed from C:\My Documents\Bruno LADEVEZE\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
The file system type is FAT32
Fix executed in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsgk32st.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\FSGK32.EXE
C:\Program Files\AntivirusFirewall\backweb\6588780\program\fsbwsys.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fssm32.exe
C:\Program Files\AntivirusFirewall\Common\FSMA32.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\AntivirusFirewall\Common\FSMB32.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntivirusFirewall\Common\FCH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsqh.exe
C:\Program Files\AntivirusFirewall\Common\FAMEH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsrw.exe
C:\Program Files\AntivirusFirewall\FWES\Program\fsdfwd.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AntivirusFirewall\Common\FSM32.EXE
C:\Program Files\AntivirusFirewall\FSGUI\ispnews.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hpgs2wnf.exe
C:\PROGRA~1\WANADOO\TaskBarIcon.exe
C:\PROGRA~1\ANTIVI~1\ANTI-S~1\fsaw.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Program Files\AntivirusFirewall\backweb\6588780\Program\fspex.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\migicons.exe PRESENT !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bruno
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Bruno\LOCALS~1\Temp
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bruno\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRUNO\FAVORIS
C:\DOCUME~1\BRUNO\FAVORIS\Online Security Test.url PRESENT !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop items
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My homepage"
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, the keys that follow are not necessarily infected!!!
o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, the keys that follow are not necessarily infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, the keys that follow are not necessarily infected!!!
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, the keys that follow are not necessarily infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, the keys that follow are not necessarily infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, the keys that follow are not necessarily infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, the keys that follow are not necessarily infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, the keys that follow are not necessarily infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Accton EN1207D-TX PCI Fast Ethernet card
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7263C6DB-FA0B-4370-9FCD-6B73A6AF6A64}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7263C6DB-FA0B-4370-9FCD-6B73A6AF6A64}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7263C6DB-FA0B-4370-9FCD-6B73A6AF6A64}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Searching for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
SmitFraudFix v2.399
Report made at 19:53:41.77, 04/03/2009
Executed from C:\My Documents\Bruno LADEVEZE\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
The file system type is FAT32
Fix executed in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsgk32st.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\FSGK32.EXE
C:\Program Files\AntivirusFirewall\backweb\6588780\program\fsbwsys.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fssm32.exe
C:\Program Files\AntivirusFirewall\Common\FSMA32.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\AntivirusFirewall\Common\FSMB32.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntivirusFirewall\Common\FCH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsqh.exe
C:\Program Files\AntivirusFirewall\Common\FAMEH32.EXE
C:\Program Files\AntivirusFirewall\Anti-Virus\fsrw.exe
C:\Program Files\AntivirusFirewall\FWES\Program\fsdfwd.exe
C:\Program Files\AntivirusFirewall\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AntivirusFirewall\Common\FSM32.EXE
C:\Program Files\AntivirusFirewall\FSGUI\ispnews.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hpgs2wnf.exe
C:\PROGRA~1\WANADOO\TaskBarIcon.exe
C:\PROGRA~1\ANTIVI~1\ANTI-S~1\fsaw.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Program Files\AntivirusFirewall\backweb\6588780\Program\fspex.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\migicons.exe PRESENT !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bruno
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Bruno\LOCALS~1\Temp
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bruno\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRUNO\FAVORIS
C:\DOCUME~1\BRUNO\FAVORIS\Online Security Test.url PRESENT !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop items
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My homepage"
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, the keys that follow are not necessarily infected!!!
o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, the keys that follow are not necessarily infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, the keys that follow are not necessarily infected!!!
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, the keys that follow are not necessarily infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, the keys that follow are not necessarily infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, the keys that follow are not necessarily infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, the keys that follow are not necessarily infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, the keys that follow are not necessarily infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Accton EN1207D-TX PCI Fast Ethernet card
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7263C6DB-FA0B-4370-9FCD-6B73A6AF6A64}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7263C6DB-FA0B-4370-9FCD-6B73A6AF6A64}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7263C6DB-FA0B-4370-9FCD-6B73A6AF6A64}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Searching for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Download RAV ANTIVIRUS by Evosla
:
http://ww25.evosla.com/compteur.php?soft=rav_antivirus
--- Extract it (right-click >> Extract here) and double-click on the RAV.exe file
--- Connect your removable drives (USB key, memory stick, external hard drive,............);
--- once RAV ANTIVIRUS is launched, let it react, it will automatically scan all drives (fixed and removable).
--- if a virus is found, a log will be created, otherwise nothing will happen and the software will display "Your Computer is Healthy".
--- Remove the removable drives and restart the computer.
--
**if I don't respond right away, it's because I also have a job and a family**
:
http://ww25.evosla.com/compteur.php?soft=rav_antivirus
--- Extract it (right-click >> Extract here) and double-click on the RAV.exe file
--- Connect your removable drives (USB key, memory stick, external hard drive,............);
--- once RAV ANTIVIRUS is launched, let it react, it will automatically scan all drives (fixed and removable).
--- if a virus is found, a log will be created, otherwise nothing will happen and the software will display "Your Computer is Healthy".
--- Remove the removable drives and restart the computer.
--
**if I don't respond right away, it's because I also have a job and a family**
Hi
RAV worked, but now the famous file has disappeared...and my folders along with it (I thought I could recover something...)
now, I feel like my PC is even slower!
what about the different reports?
on another note, my external drive still shows 123 GB used even though there seems to be nothing left ???????
RAV worked, but now the famous file has disappeared...and my folders along with it (I thought I could recover something...)
now, I feel like my PC is even slower!
what about the different reports?
on another note, my external drive still shows 123 GB used even though there seems to be nothing left ???????
You will need to analyze one or more suspicious file(s)!
They may be located in the system's "hidden folders."
So you need to make them visible for the scan.
To display hidden folders and files:
Control Panel > Folder Options > View tab.
Check Show hidden files and folders,
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files.
A warning message will appear. Click OK to confirm your choice.
The system's hidden files and folders will then appear in Windows Explorer in transparency.
Go to this site:
https://www.virustotal.com/gui/
Click on browse and search for these files: c:\windows\SYSTEM32\wininet.dll
c:\program files\folder.htt
Click on Send File.
A report will be generated line by line.
Wait for it to finish. It should include the size of the sent file.
Save the report with Notepad.
Copy it into your response.
--
**if I don't reply immediately, it's because I also have a job and a family **
They may be located in the system's "hidden folders."
So you need to make them visible for the scan.
To display hidden folders and files:
Control Panel > Folder Options > View tab.
Check Show hidden files and folders,
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files.
A warning message will appear. Click OK to confirm your choice.
The system's hidden files and folders will then appear in Windows Explorer in transparency.
Go to this site:
https://www.virustotal.com/gui/
Click on browse and search for these files: c:\windows\SYSTEM32\wininet.dll
c:\program files\folder.htt
Click on Send File.
A report will be generated line by line.
Wait for it to finish. It should include the size of the sent file.
Save the report with Notepad.
Copy it into your response.
--
**if I don't reply immediately, it's because I also have a job and a family **
the procedure was a bit different (he didn't ask to correct, I intentionally restarted to ensure finalization, he downloaded a program of "backup" apparently essential)
here is the report:
ComboFix 09-03-04.01 - Bruno 2009-03-05 13:59:12.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1036.18.319.161 [GMT 1:00]
Launched from: c:\documents and settings\Bruno\Desktop\ComboFix.exe
AV: AntiVirus Firewall 6.15 *On-access scanning disabled* (Updated)
AV: avast! antivirus 4.8.1335 [VPS 090303-2] *On-access scanning disabled* (Updated)
FW: AntiVirus Firewall 6.15 *disabled*
* A new restore point has been created
.
(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\HbTools
c:\windows\start.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mdm.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Web\default.htt
.
((((((((((((((((((((((((((((( Files created from 2009-02-05 to 2009-03-05 ))))))))))))))))))))))))))))))))))))
.
2009-02-28 20:07 . 2009-02-28 20:07 <REP> d-------- c:\documents and settings\Bruno\Application Data\JAM Software
2009-02-11 10:22 . 2009-02-11 10:22 <REP> d--hs---- C:\FOUND.034
2009-02-11 10:06 . 2009-02-11 10:06 <REP> d--hs---- C:\FOUND.033
.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 11:50 --------- d-----w c:\program files\AVS4YOU
2009-02-03 11:37 --------- d-----w c:\documents and settings\Bruno\Application Data\AVS4YOU
2009-02-03 11:37 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-02-03 11:34 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-16 20:15 3,594,752 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-20 22:47 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll
2008-12-20 22:47 826,368 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2008-12-20 22:47 671,232 ----a-w c:\windows\SYSTEM32\dllcache\mstime.dll
2008-12-20 22:47 477,696 ----a-w c:\windows\SYSTEM32\dllcache\mshtmled.dll
2008-12-20 22:47 44,544 ----a-w c:\windows\SYSTEM32\dllcache\pngfilt.dll
2008-12-20 22:47 233,472 ----a-w c:\windows\SYSTEM32\dllcache\webcheck.dll
2008-12-20 22:47 193,024 ----a-w c:\windows\SYSTEM32\dllcache\msrating.dll
2008-12-20 22:47 105,984 ----a-w c:\windows\SYSTEM32\dllcache\url.dll
2008-12-20 22:47 102,912 ----a-w c:\windows\SYSTEM32\dllcache\occache.dll
2008-12-20 22:47 1,160,192 ----a-w c:\windows\SYSTEM32\dllcache\urlmon.dll
2008-12-19 09:11 70,656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\dllcache\srv.sys
2006-08-14 15:53 0 ---ha-w c:\program files\hpothb07.tif
2006-08-14 15:53 0 ---ha-w c:\program files\hpothb07.dat
2006-03-19 13:16 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
1999-06-10 15:11 266 --sh--w c:\program files\desktop.ini
1999-06-10 15:11 11,208 ---h--w c:\program files\folder.htt
2008-10-19 16:00 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101920081020\index.dat
.
((((((((((((((((((((((((((((((((( Registry Load Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & initial legitimate items are not listed
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2006-01-24 7094272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2000-01-04 19456]
"F-Secure Manager"="c:\program files\AntivirusFirewall\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="c:\program files\AntivirusFirewall\TNB\TNBUtil.exe" [2005-07-18 700416]
"F-Secure Startup Wizard"="c:\program files\AntivirusFirewall\FSGUI\FSSW.EXE" [2005-10-18 372736]
"News Service"="c:\program files\AntivirusFirewall\FSGUI\ispnews.exe" [2005-05-31 356352]
"WOOWATCH"="c:\progra~1\WANADOO\Watch.exe" [2004-08-23 20480]
"WOOTASKBARICON"="c:\progra~1\WANADOO\GestMaj.exe" [2004-10-14 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"Share-to-Web Namespace Daemon"="C:\hpgs2wnd.exe" [2002-04-17 69632]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Bruno\Start Menu\Programs\Startup\
Microsoft Accelerated Search.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1999-01-22 131133]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-01-27 51984]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-02-23 225280]
Antivirus Firewall.lnk - c:\program files\AntivirusFirewall\backweb\6588780\Program\fspex.exe [2006-12-28 32807]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"MSACM.sx5363s"= sx5363s.acm
"msacm.wpdigitalk"= wpdigitalk.acm
"VIDC.MJPG"= PMJPEG32.DLL
"VIDC.V261"= VX3000S.DRV
"VIDC.VXSP"= VX1000SP.DRV
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"TridTray"=c:\windows\SYSTEM32\TRIDTRAY.EXE
"Onscreen Display"=c:\program files\Netropa\Onscreen Display\OSD.exe
"PE2CKFNT SE"=c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
"WOOWATCH"=c:\progra~1\WANADOO\Watch.exe
"LoadQM"=loadqm.exe
"avast! Web Scanner"=c:\progra~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
"LexStart"=Lexstart.exe
"LXSUPMON"=c:\windows\SYSTEM32\lxsupmon.exe RUN
"wlancfg"=c:\program files\Inventel\Gateway\wlancfg.exe
"WOOTASKBARICON"=c:\progra~1\WANADOO\GestMaj.exe TaskBarIcon.exe
"CamMonitor"=c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"ashMaiSv"=c:\progra~1\ALWILS~1\AVAST4\ashmaisv.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AntivirusFirewall\\backweb\\6588780\\Program\\fspex.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [2006-12-28 70896]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2009-03-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2009-03-01 20560]
R2 BackWeb Plug-in - 6588780;Antivirus Firewall;c:\progra~1\ANTIVI~1\backweb\6588780\Program\SERVIC~1.EXE [2006-12-28 32807]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\AntivirusFirewall\Anti-Virus\win2k\FSfilter.sys [2006-12-28 48720]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\AntivirusFirewall\Anti-Virus\win2k\fsgk.sys [2006-12-28 62176]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\AntivirusFirewall\Anti-Virus\win2k\FSrec.sys [2006-12-28 16816]
S3 NtApm;NT APM Interface Driver/Legacy;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [2001-08-23 9472]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_05A9&PID_8519&MI_01\1USB&VID_05A9&PID_8519&INST_0
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
2006-07-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\SYMANTEC\LIVEUPDATE\NDETECT.EXE [2005-01-27 15:59]
2009-03-05 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\ANTIVI~1\ANTI-V~1\fsav.exe [2005-06-15 20:56]
.
- - - - REMOVED ORPHANS - - - -
ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
HKCU-Run-dlmMgr - c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
.
------- Additional examination -------
uStart Page = hxxp://www.orange.fr
mWindow Title = Wanadoo
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Block this popup window - c:\program files\AntivirusFirewall\Anti-Spyware\blockpopups.htm
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 14:02:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI
Searching for hidden processes ...
Searching for hidden autorun items ...
Searching for hidden files ...
Scan completed successfully
Hidden files: 0
**************************************************************************
.
--------------------- DLLs loaded in active processes ---------------------
- - - - - - - > 'winlogon.exe'(360)
c:\program files\AntivirusFirewall\FWES\Program\fsdc.dll
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\mvoice.vwp
- - - - - - - > 'lsass.exe'(416)
c:\program files\AntivirusFirewall\FWES\Program\fsdc.dll
- - - - - - - > 'csrss.exe'(336)
c:\program files\AntivirusFirewall\FWES\Program\fsdc.dll
.
End time: 2009-03-05 14:04:35
ComboFix-quarantined-files.txt 2009-03-05 13:04:32
Before-CF: 7766097920 bytes free
After-CF: 8,632,745,984 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
200 --- E O F --- 2009-02-26 20:29:57