View original (French)

[Virus] Trojan - Spyware ...

Solved
CurLy64 Posted messages 71 Status Member -  
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   -
Hi,

For once, I’m the one who needs help...

I've had a virus (trojan) and other nasty stuff for a few days now, so I'm posting first the alert messages sent by Symantec Antivirus:

[quote]08/08/2007 15:59:28,ddlbbcas.exe,Downloader,File,Deleted,E98GNC002A,low,C:\WINDOWS\system32\,Deleted,Deleted,Cleaning the virus from the file,Delete the infected file,Manual scan,The file has been deleted.
08/08/2007 13:23:11,kcehc_eicooc20070702[1],Trojan.Vundo,File,Deleted,E98GNC002A,low,C:\Documents and Settings\janeau\Local Settings\Temporary Internet Files\Content.IE5\RI07V1O1\,Deleted,Deleted,Cleaning the virus from the file,Delete the infected file,Auto-Protect scan,The file has been deleted.
08/08/2007 13:20:51,masiyxanidi[2],Downloader,File,Kept,E98GNC002A,low,C:\Documents and Settings\janeau\Local Settings\Temporary Internet Files\Content.IE5\4TUR0HQB\,Infected,C:\Documents and Settings\janeau\Local Settings\Temporary Internet Files\Content.IE5\4TUR0HQB\,Cleaning the virus from the file,Delete the infected file,Auto-Protect scan,The file has not been modified.[/quote]

That's roughly what it looks like... it’s Downloader and Trojan.Vundo. I've rebooted in safe mode, scanned with Symantec, deleted temporary files, scanned with The Cleaner, Ad-Aware, Spybot, and I still have these nasty bits...

I’m also providing the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:21:45, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\4760\Netscape\server5\bin\https\bin\ns-httpd.exe
c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe
c:\4760\Netscape\server5\bin\https\bin\httpd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\4760\Netscape\server5\bin\slapd\server\ns-slapd.exe
c:\4760\Netscape\server5\bin\slapd\server\slapd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\4760\bin\svc_mgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\Client ICA\ssonsvr.exe
C:\Documents and Settings\janeau\Application Data\explorer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe
C:\Program Files\InstantTimeZone\InstantTimeZone.exe
C:\applics\Launcher400\LNCsrv.exe
C:\applics\Launcher400\LNCadm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe
C:\Program Files\Alcatel_PIMphony\aocphone.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\Webshots\webshots.scr
c:\4760\apache2\bin\apache.exe
C:\Program Files\Messenger\msmsgs.exe
C:\4760\apache2\bin\apache.exe
c:\4760\bin\ExecdEx.exe
c:\4760\bin\extractor.exe
c:\4760\bin\LicenseServer.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
c:\4760\bin\save_restore.exe
c:\4760\bin\scheduler.exe
c:\4760\bin\SecurityServer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
c:\4760\bin\ns_service.exe
c:\4760\bin\ComServer.exe
c:\4760\bin\cmisd.exe
c:\4760\bin\FaultManager.exe
c:\4760\bin\GCSAdmin.exe
c:\4760\bin\GCSConfig.exe
c:\4760\bin\loader.exe
c:\4760\bin\SyncLdapPbx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alcatel_PIMphony\UAProc.exe
C:\Program Files\Alcatel_PIMphony\abers.exe
C:\WINDOWS\System32\rsvp.exe
U:\-= truc =-\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\janeau\Application Data\explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A4A2D56-931A-4733-9121-033A2D95A274} - C:\WINDOWS\system32\tuvtqno.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A2B5476A-23EB-4180-9C40-49ABF9615620} - C:\WINDOWS\system32\geede.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\uvbubsbh.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Receiver] C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cddvgtqd.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus Notes 6.5.lnk = C:\Program Files\lotus\notes\notes.exe
O4 - Startup: MSN Pictures Displayer.lnk = C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe
O4 - Startup: PIMphony.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: InstantTimeZone.lnk = C:\Program Files\InstantTimeZone\InstantTimeZone.exe
O4 - Global Startup: Quick launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launcher400.LNK = C:\applics\Launcher400\LNCsrv.exe
O4 - Global Startup: Windows Live Messenger.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105936747789
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.groupama.nc
O17 - HKLM\Software\..\Telephony: DomainName = intra.groupama.nc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.groupama.nc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.groupama.nc
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll
O20 - Winlogon Notify: tuvtqno - C:\WINDOWS\SYSTEM32\tuvtqno.dll
O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\SYSTEM32\winbjt32.dll
O22 - SharedTaskScheduler: Pre-loader Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component category cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - c:/4760/Netscape/server5/bin/https/bin/ns-httpd.exe
O23 - Service: NMC Alarm server (AlarmServer) - Unknown owner - c:\4760\bin\FaultManager.exe
O23 - Service: Apache - Apache Software Foundation - c:\4760\apache2\bin\apache.exe
O23 - Service: NMC50 Database (ASANYs_nmc50) - iAnywhere Solutions, Inc. - c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NMC CMISE server (Cmisd) - Unknown owner - c:\4760\bin\cmisd.exe
O23 - Service: NMC Communication Server (ComServer) - Unknown owner - c:\4760\bin\ComServer.exe
O23 - Service: Remote Command Function of iSeries Access for Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administration Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: NMC executables launcher (ExecdEx) - Unknown owner - c:\4760\bin\ExecdEx.exe
O23 - Service: NMC extractor (Extractor) - Unknown owner - c:\4760\bin\extractor.exe
O23 - Service: NMC GCS administration server (GCSAdmin) - Unknown owner - c:\4760\bin\GCSAdmin.exe
O23 - Service: NMC GCS config server (GCSConfig) - Unknown owner - c:\4760\bin\GCSConfig.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CD Burning COM Service IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMC License server (LicenseServer) - Unknown owner - c:\4760\bin\LicenseServer.exe
O23 - Service: NMC Loader (Loader) - Unknown owner - c:\4760\bin\loader.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: ORBacus Notify Service (NotifyService) - Unknown owner - c:\4760\bin\ns_service.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: NMC Save/Restore (SaveRestore) - Unknown owner - c:\4760\bin\save_restore.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: NMC Scheduler (Scheduler) - Unknown owner - c:\4760\bin\scheduler.exe
O23 - Service: NMC Security Server (SecurityServer) - Unknown owner - c:\4760\bin\SecurityServer.exe
O23 - Service: ServiceOMC - Unknown owner - C:\WINDOWS\system32\ServiceOMC.exe
O23 - Service: Sun ONE Directory Server 5.2 (4760) (slapd-4760) - Unknown owner - c:\4760\Netscape\server5/bin/slapd/server/ns-slapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: NMC Service Manager (svc_mgr) - Unknown owner - c:\4760\bin\svc_mgr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NMC Pbx/Ldap synchronization (SyncLdapPbx) - Unknown owner - c:\4760\bin\SyncLdapPbx.exe
O23 - Service: Performance Logs & Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe

--
End of file - 12952 bytes

Knowing that I've already deleted the explorer.exe file contained in Application Data (it had no reason to be there Oo')

Thanks for your help :)
Configuration: Windows XP Firefox 2.0.0.6

18 answers

Answer 1 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Hello

Download VundoFix.exe (by Atribune) to your Desktop.
http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to launch it.
Click the Scan for Vundo button.
When the scan is complete, click the Remove Vundo button.
A prompt will ask if you want to delete the files, click YES
After clicking "Yes," the Desktop will disappear for a moment while the files are deleted.
You will see a prompt notifying you that your PC will shut down ("shutdown"); click OK
Restart your PC.
Copy/paste the contents of the report located in C:\vundofix.txt along with a new HijackThis! report in your next reply.

See you soon
--
"I had a dream of a better world...Without differences of color...Equality..."-MLK-
0
Answer 2 / 18
CurLy64 Posted messages 71 Status Member 4
 
Here is the log of VundoFix:

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.6
Old versions of Java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of Java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:37:51 09/08/2007

Listing files found while scanning....

C:\windows\system32\cddvgtqd.dll
C:\windows\system32\cxreuxnq.ini
C:\WINDOWS\system32\dqtgvddc.ini
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll
C:\windows\system32\ivxbovqj.ini
C:\windows\system32\jqvobxvi.dll
C:\windows\system32\qnxuerxc.dll
C:\WINDOWS\system32\tuvtqno.dll
C:\WINDOWS\system32\uvbubsbh.dll

Beginning removal...

Attempting to delete C:\windows\system32\cddvgtqd.dll
C:\windows\system32\cddvgtqd.dll Has been deleted!

Attempting to delete C:\windows\system32\cxreuxnq.ini
C:\windows\system32\cxreuxnq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dqtgvddc.ini
C:\WINDOWS\system32\dqtgvddc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.dll Has been deleted!

Attempting to delete C:\windows\system32\ivxbovqj.ini
C:\windows\system32\ivxbovqj.ini Has been deleted!

Attempting to delete C:\windows\system32\jqvobxvi.dll
C:\windows\system32\jqvobxvi.dll Has been deleted!

Attempting to delete C:\windows\system32\qnxuerxc.dll
C:\windows\system32\qnxuerxc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvtqno.dll
C:\WINDOWS\system32\tuvtqno.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\uvbubsbh.dll
C:\WINDOWS\system32\uvbubsbh.dll Has been deleted!

Performing Repairs to the registry.
Done!

And the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:52:10, on 09/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\4760\Netscape\server5\bin\https\bin\ns-httpd.exe
c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe
c:\4760\Netscape\server5\bin\https\bin\httpd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\fdvrtblq.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\4760\Netscape\server5\bin\slapd\server\ns-slapd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\4760\Netscape\server5\bin\slapd\server\slapd.exe
c:\4760\bin\svc_mgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Citrix\Client ICA\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe
C:\Program Files\InstantTimeZone\InstantTimeZone.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\applics\Launcher400\LNCsrv.exe
C:\applics\Launcher400\LNCadm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe
C:\Program Files\Alcatel_PIMphony\aocphone.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
c:\4760\apache2\bin\apache.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\4760\apache2\bin\apache.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
c:\4760\bin\ExecdEx.exe
c:\4760\bin\extractor.exe
C:\Program Files\Alcatel_PIMphony\UAProc.exe
C:\WINDOWS\System32\rsvp.exe
c:\4760\bin\LicenseServer.exe
C:\Program Files\Alcatel_PIMphony\abers.exe
c:\4760\bin\save_restore.exe
c:\4760\bin\scheduler.exe
c:\4760\bin\SecurityServer.exe
c:\4760\bin\ns_service.exe
c:\4760\bin\ComServer.exe
c:\4760\bin\cmisd.exe
c:\4760\bin\FaultManager.exe
c:\4760\bin\GCSAdmin.exe
c:\4760\bin\GCSConfig.exe
c:\4760\bin\loader.exe
c:\4760\bin\SyncLdapPbx.exe
C:\Documents and Settings\janeau\Bureau\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\janeau\Application Data\explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C8C729FD-9C9F-4D53-A419-EC5101ED52AF} - C:\WINDOWS\system32\geede.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Receiver] C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lotus Notes 6.5.lnk = C:\Program Files\lotus\notes\notes.exe
O4 - Startup: MSN Pictures Displayer.lnk = C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe
O4 - Startup: PIMphony.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: InstantTimeZone.lnk = C:\Program Files\InstantTimeZone\InstantTimeZone.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launcher400.LNK = C:\applics\Launcher400\LNCsrv.exe
O4 - Global Startup: Windows Live Messenger.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105936747789
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.groupama.nc
O17 - HKLM\Software\..\Telephony: DomainName = intra.groupama.nc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.groupama.nc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.groupama.nc
O20 - Winlogon Notify: winbjt32 - C:\WINDOWS\SYSTEM32\winbjt32.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - c:/4760/Netscape/server5/bin/https/bin/ns-httpd.exe
O23 - Service: NMC Alarm server (AlarmServer) - Unknown owner - c:\4760\bin\FaultManager.exe
O23 - Service: Apache - Apache Software Foundation - c:\4760\apache2\bin\apache.exe
O23 - Service: NMC50 Database (ASANYs_nmc50) - iAnywhere Solutions, Inc. - c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe
O23 - Service: Service Bonjour (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: NMC CMISE server (Cmisd) - Unknown owner - c:\4760\bin\cmisd.exe
O23 - Service: NMC Communication Server (ComServer) - Unknown owner - c:\4760\bin\ComServer.exe
O23 - Service: Fonction Commande à distance d'iSeries Access for Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\fdvrtblq.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: NMC executables launcher (ExecdEx) - Unknown owner - c:\4760\bin\ExecdEx.exe
O23 - Service: NMC extractor (Extractor) - Unknown owner - c:\4760\bin\extractor.exe
O23 - Service: NMC GCS administration server (GCSAdmin) - Unknown owner - c:\4760\bin\GCSAdmin.exe
O23 - Service: NMC GCS config server (GCSConfig) - Unknown owner - c:\4760\bin\GCSConfig.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMC License server (LicenseServer) - Unknown owner - c:\4760\bin\LicenseServer.exe
O23 - Service: NMC Loader (Loader) - Unknown owner - c:\4760\bin\loader.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: ORBacus Notify Service (NotifyService) - Unknown owner - c:\4760\bin\ns_service.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: NMC Save/Restore (SaveRestore) - Unknown owner - c:\4760\bin\save_restore.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: NMC Scheduler (Scheduler) - Unknown owner - c:\4760\bin\scheduler.exe
O23 - Service: NMC Security Server (SecurityServer) - Unknown owner - c:\4760\bin\SecurityServer.exe
O23 - Service: ServiceOMC - Unknown owner - C:\WINDOWS\system32\ServiceOMC.exe
O23 - Service: Sun ONE Directory Server 5.2 (4760) (slapd-4760) - Unknown owner - c:\4760\Netscape\server5/bin/slapd/server/ns-slapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: NMC Service Manager (svc_mgr) - Unknown owner - c:\4760\bin\svc_mgr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NMC Pbx/Ldap synchronization (SyncLdapPbx) - Unknown owner - c:\4760\bin\SyncLdapPbx.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe

--
End of file - 12637 bytes

It successfully deleted the infected files :)

Thank you very much for your help Regis59 :p
0
Answer 3 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Re,

We're continuing...

Download Combofix sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save it on your desktop and nowhere else!

Double-click on combofix, it will ask you a question, respond by pressing 1 and then Enter to confirm.
Wait for combofix to finish, a report will be generated. Post the report.

--
"I dreamed of a better world...Without differences in color...Equality..."-MLK-
0
Answer 4 / 18
CurLy64 Posted messages 71 Status Member 4
 
Go to the following log:

ComboFix 07-08-09.3 - "bas" 2007-08-10 9:09:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1036.18.138 [GMT 11:00]
* Created a new restore point

[i] ADS removed - svchost.exe: deleted 58880 bytes in 1 streams. [/i]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\ASPI32.EXE
C:\WINDOWS\system32\winbjt32.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ASC3550U
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_ICF
-------\LEGACY_NPF
-------\DomainService
-------\ICF
-------\SysLibrary

((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))

2007-08-10 09:08 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 08:23 <REP> d-------- C:\Program Files\Windows Live
2007-08-10 08:22 <REP> d-------- C:\Program Files\MessengerDiscovery
2007-08-09 12:16 <REP> d-------- C:\Program Files\MegauploadToolbar
2007-08-09 12:16 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\MegauploadToolbar
2007-08-09 10:37 75,328 --a------ C:\WINDOWS\system32\fdvrtblq.exe
2007-08-09 10:37 <REP> d-------- C:\VundoFix Backups
2007-08-07 11:27 <REP> d-------- C:\Program Files\The Cleaner
2007-08-06 14:45 <REP> d-------- C:\Program Files\Lavasoft
2007-08-06 14:45 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-06 14:44 <REP> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 09:11 <REP> d-------- C:\Program Files\RegCleaner
2007-08-03 12:49 <REP> d-------- C:\pps
2007-07-25 12:04 <REP> d-------- C:\Program Files\PhotoFiltre
2007-07-25 10:29 <REP> d-------- C:\DOCUME~1\janeau\A4902Logs
2007-07-23 10:57 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\vlc
2007-07-23 09:29 <REP> d-------- C:\Program Files\VideoLAN
2007-07-16 16:09 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\Alcatel PIMphony
2007-07-16 15:48 <REP> d-------- C:\Program Files\Nice Recorder
2007-07-16 15:43 <REP> d-------- C:\Program Files\FuzLez
2007-07-16 15:43 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\FuzLez
2007-07-16 15:40 <REP> d-------- C:\My Recordings
2007-07-16 15:39 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-07-16 14:41 <REP> d-------- C:\Program Files\Audacity
2007-07-13 14:04 <REP> d-------- C:\Program Files\Cain
2007-07-13 13:19 39,424 --a------ C:\WINDOWS\zipinst.exe
2007-07-13 13:19 <REP> d-------- C:\Program Files\MessenPass
2007-07-13 08:56 <REP> d-------- C:\crark31
2007-07-11 14:49 <REP> d-------- C:\WhoLockMe104
2007-07-11 14:48 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 09:14 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-10 09:12 --------- d-------- C:\Program Files\mIRC
2007-08-10 08:23 --------- d-------- C:\Program Files\MSN Messenger
2007-08-10 07:30 --------- d-------- C:\Program Files\Alcatel_PIMphony
2007-08-08 16:32 --------- d-------- C:\Program Files\Bonjour
2007-08-07 15:22 0 --a------ C:\CONFIG.SYS
2007-08-07 15:22 0 --a------ C:\AUTOEXEC.BAT
2007-08-06 13:31 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-06 13:31 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-25 11:39 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\gtk-2.0
2007-07-23 12:58 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\U3
2007-07-02 09:06 --------- d-------- C:\Program Files\Webshots
2007-07-02 09:06 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\Webshots
2007-07-02 08:33 74752 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-02 08:33 290816 --------- C:\WINDOWS\Setup1.exe
2007-07-02 08:33 --------- d-------- C:\Program Files\SwitchWallPaper
2007-06-29 10:17 --------- d-------- C:\Program Files\MSN Pictures Displayer
2007-06-29 09:56 446976 --a------ C:\WINDOWS\system32\ShellMPD.dll
2007-06-29 09:56 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\MSN Pictures Displayer
2007-06-28 14:09 --------- d-------- C:\Program Files\PSPad editor
2007-06-28 14:09 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\WaterProof
2007-06-28 14:08 --------- d-------- C:\Program Files\WaterProof
2007-06-27 10:38 --------- d-------- C:\Program Files\Look@LAN
2007-06-27 10:32 720896 --a------ C:\WINDOWS\iun6002.exe
2007-06-26 14:40 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\X-Chat 2
2007-06-21 12:05 --------- d-------- C:\Program Files\InstantTimeZone
2007-06-20 08:23 45 ---h----- C:\WINDOWS\dsez2661.dat
2007-06-19 08:45 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\ICAClient
2007-06-19 08:32 --------- d-------- C:\Program Files\Citrix

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8C729FD-9C9F-4D53-A419-EC5101ED52AF}]
C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-09-30 15:41]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-09-30 15:37]
"SetRefresh"="C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 18:01]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-31 15:46]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 05:20]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 05:20]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-05-07 05:20]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 05:20]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2000-09-28 19:52]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2004-06-20 20:45]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"Receiver"="C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe" [2004-11-12 10:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-15 16:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09]
"PerSonoCall"="C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" [2004-12-09 11:03]

C:\Documents and Settings\janeau\Start Menu\Programs\Startup\
Lotus Notes 6.5.lnk - C:\Program Files\lotus\notes\notes.exe [2004-09-15 05:39:00]
MSN Pictures Displayer.lnk - C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe [2007-06-29 09:56:23]
PIMphony.lnk - C:\Program Files\Alcatel_PIMphony\aocphone.exe [2007-05-16 09:11:24]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-07-02 09:06:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InstantTimeZone.lnk - C:\Program Files\InstantTimeZone\InstantTimeZone.exe [2006-09-03 02:39:36]
Quick Launch for Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Launcher400.LNK - C:\applics\Launcher400\LNCsrv.exe [2005-09-06 17:16:43]
Windows Live Messenger.lnk - C:\WINDOWS\Installer\{F6326B60-1B1D-4ABF-BFCD-7B7404F44411}\MsblIco.Exe [2007-07-06 09:22:06]

R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 ASANYs_nmc50;NMC50 Database;"c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe" -hvASANYs_nmc50
R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\System32\drivers\cpqdfw.sys
R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\System32\drivers\cq_mem.sys
R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\System32\drivers\cqcpu.sys
R2 hardlock;hardlock;\??\C:\WINDOWS\system32\drivers\hardlock.sys
R2 slapd-4760;Sun ONE Directory Server 5.2 (4760);c:\4760\Netscape\server5/bin/slapd/server/ns-slapd.exe
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 svc_mgr;NMC Service Manager;"c:\4760\bin\svc_mgr.exe"
R3 ExecdEx;NMC executables launcher;"c:\4760\bin\ExecdEx.exe"
R3 Extractor;NMC extractor;"c:\4760\bin\extractor.exe"
R3 LicenseServer;NMC License server;"c:\4760\bin\LicenseServer.exe"
R3 NotifyService;ORBacus Notify Service;"c:\4760\bin\ns_service.exe"
R3 SaveRestore;NMC Save/Restore;"c:\4760\bin\save_restore.exe"
R3 Scheduler;NMC Scheduler;"c:\4760\bin\scheduler.exe"
R3 SecurityServer;NMC Security Server;"c:\4760\bin\SecurityServer.exe"
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 ServiceOMC;ServiceOMC;C:\WINDOWS\system32\ServiceOMC.exe
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
Start Pending3 ComServer;NMC Communication Server;"c:\4760\bin\ComServer.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Kelio\autorun\autorun.exe

*Newly Created Service* - APACHE
*Newly Created Service* - COMSERVER
*Newly Created Service* - EXECDEX
*Newly Created Service* - EXTRACTOR
*Newly Created Service* - LICENSESERVER
*Newly Created Service* - NOTIFYSERVICE
*Newly Created Service* - SAVERESTORE
*Newly Created Service* - SCHEDULER
*Newly Created Service* - SECURITYSERVER

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 09:15:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\admin52-serv]
"ImagePath"="c:/4760/Netscape/server5/bin/https/bin/ns-httpd.exe"

Completion time: 2007-08-10 9:18:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 09:17

--- E O F ---

Thank you again :)
0
Answer 5 / 18
marco
 
Hi, someone is using my MSN
even by changing the code, they retrieve it
I must have a program they are using
help
attached is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:31:20, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mio Technology\MioSync\mioSync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.free.fr/freebox/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MioSync.lnk = C:\Program Files\Mio Technology\MioSync\mioSync.exe
O8 - Extra context menu item: &Translate from English - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Easy-WebPrint Add to Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Quick Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Linked Pages - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Search &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Current page version available in Google cache - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Allocam Multi Vision - {2D6B57BF-71FA-41A3-BDC5-3B5A25813D2E} - C:\PROGRA~1\ALLOCA~1\allocam.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Allocam Multi Vision - {2D6B57BF-71FA-41A3-BDC5-3B5A25813D2E} - C:\PROGRA~1\ALLOCA~1\allocam.exe (file missing) (HKCU)
O15 - Trusted Zone: *.canalplay.com
O15 - Trusted Zone: *.canalplusactive.com
O15 - Trusted Zone: *.canalplay.com (HKLM)
O15 - Trusted Zone: *.canalplusactive.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {E1AF091A-9F23-4059-89D7-C05EE073285D} (Canal+ Active MSWAY) - https://www.canalplus.com/canalplay/
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 12323 bytes

thank you
very urgent
0
philae83 Posted messages 12854 Status Security Contributor 206
 
Good evening CurLy64,

Marco,

You need to create a topic for your issue so as not to interfere with this one. Thank you. Someone will come to your aid.

P.S.: Hello Quentin :)
--
There are no shortcuts to places that are worth it - Beverley Sills
0
Answer 6 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Hi Catherine,

Thanks :-)

Run a HijackThis again!

See you later
--
"I had a dream of a better world... Without color differences... Equality..." -MLK-
0
Answer 7 / 18
CurLy64 Posted messages 71 Status Member 4
 
This morning, my antivirus removed a trojan.vundo in system32 ... it's really persistent, that one :/

Here is a new HiJackThis log as requested: 

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12:43, on 2007-08-13 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\4760\Netscape\server5\bin\https\bin\ns-httpd.exe c:\4760\Netscape\server5\bin\https\bin\httpd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\UltraVNC\WinVNC.exe C:\Program Files\MSN Messenger\usnsvc.exe c:\4760\Netscape\server5\bin\slapd\server\ns-slapd.exe c:\4760\Netscape\server5\bin\slapd\server\slapd.exe c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe c:\4760\bin\svc_mgr.exe c:\4760\apache2\bin\apache.exe C:\4760\apache2\bin\apache.exe c:\4760\bin\ExecdEx.exe c:\4760\bin\extractor.exe c:\4760\bin\LicenseServer.exe c:\4760\bin\save_restore.exe c:\4760\bin\scheduler.exe c:\4760\bin\SecurityServer.exe c:\4760\bin\ns_service.exe c:\4760\bin\ComServer.exe c:\4760\bin\cmisd.exe c:\4760\bin\FaultManager.exe c:\4760\bin\GCSAdmin.exe c:\4760\bin\GCSConfig.exe c:\4760\bin\loader.exe c:\4760\bin\SyncLdapPbx.exe C:\Program Files\Citrix\Client ICA\ssonsvr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe C:\Program Files\InstantTimeZone\InstantTimeZone.exe C:\applics\Launcher400\LNCsrv.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\applics\Launcher400\LNCadm.exe C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe C:\Program Files\Alcatel_PIMphony\aocphone.exe C:\Program Files\lotus\notes\NLNOTES.EXE C:\Program Files\Webshots\webshots.scr C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe C:\Program Files\Alcatel_PIMphony\UAProc.exe C:\WINDOWS\System32\rsvp.exe C:\Program Files\Alcatel_PIMphony\abers.exe C:\Program Files\lotus\notes\ntaskldr.EXE C:\Program Files\mIRC\mirc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE C:\Documents and Settings\janeau\Bureau\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {C8C729FD-9C9F-4D53-A419-EC5101ED52AF} - C:\WINDOWS\system32\geede.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Receiver] C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Lotus Notes 6.5.lnk = C:\Program Files\lotus\notes\notes.exe O4 - Startup: MSN Pictures Displayer.lnk = C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe O4 - Startup: PIMphony.lnk = ? O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: InstantTimeZone.lnk = C:\Program Files\InstantTimeZone\InstantTimeZone.exe O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Launcher400.LNK = C:\applics\Launcher400\LNCsrv.exe O4 - Global Startup: Windows Live Messenger.lnk = ? O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105936747789 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.groupama.nc O17 - HKLM\Software\..\Telephony: DomainName = intra.groupama.nc O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.groupama.nc O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.groupama.nc O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - c:/4760/Netscape/server5/bin/https/bin/ns-httpd.exe O23 - Service: NMC Alarm server (AlarmServer) - Unknown owner - c:\4760\bin\FaultManager.exe O23 - Service: Apache - Apache Software Foundation - c:\4760\apache2\bin\apache.exe O23 - Service: NMC50 Database (ASANYs_nmc50) - iAnywhere Solutions, Inc. - c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe O23 - Service: Service Bonjour (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: NMC CMISE server (Cmisd) - Unknown owner - c:\4760\bin\cmisd.exe O23 - Service: NMC Communication Server (ComServer) - Unknown owner - c:\4760\bin\ComServer.exe O23 - Service: Fonction Commande à distance d'iSeries Access for Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: NMC executables launcher (ExecdEx) - Unknown owner - c:\4760\bin\ExecdEx.exe O23 - Service: NMC extractor (Extractor) - Unknown owner - c:\4760\bin\extractor.exe O23 - Service: NMC GCS administration server (GCSAdmin) - Unknown owner - c:\4760\bin\GCSAdmin.exe O23 - Service: NMC GCS config server (GCSConfig) - Unknown owner - c:\4760\bin\GCSConfig.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMC License server (LicenseServer) - Unknown owner - c:\4760\bin\LicenseServer.exe O23 - Service: NMC Loader (Loader) - Unknown owner - c:\4760\bin\loader.exe O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: ORBacus Notify Service (NotifyService) - Unknown owner - c:\4760\bin\ns_service.exe O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: NMC Save/Restore (SaveRestore) - Unknown owner - c:\4760\bin\save_restore.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: NMC Scheduler (Scheduler) - Unknown owner - c:\4760\bin\scheduler.exe O23 - Service: NMC Security Server (SecurityServer) - Unknown owner - c:\4760\bin\SecurityServer.exe O23 - Service: ServiceOMC - Unknown owner - C:\WINDOWS\system32\ServiceOMC.exe O23 - Service: Sun ONE Directory Server 5.2 (4760) (slapd-4760) - Unknown owner - c:\4760\Netscape\server5/bin/slapd/server/ns-slapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: NMC Service Manager (svc_mgr) - Unknown owner - c:\4760\bin\svc_mgr.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NMC Pbx/Ldap synchronization (SyncLdapPbx) - Unknown owner - c:\4760\bin\SyncLdapPbx.exe O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\System32\tlntsvr.exe O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 12516 bytes


Cheers :)
0
Answer 8 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Hi

Put a Combofix report.

See you!
--
"I had a dream of a better world...Without differences in colors...Equality..."-MLK-
0
Answer 9 / 18
CurLy64 Posted messages 71 Status Member 4
 
It's the never-ending story, computerized version :] 

ComboFix 07-08-09.3 - "low" 2007-08-14 12:07:08.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1036.18.150 [GMT 11:00] ((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 ))))))))))))))))))))))))))))))) 2007-08-10 09:08 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-10 08:23 <REP> d-------- C:\Program Files\Windows Live 2007-08-10 08:22 <REP> d-------- C:\Program Files\MessengerDiscovery 2007-08-09 12:16 <REP> d-------- C:\Program Files\MegauploadToolbar 2007-08-09 12:16 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\MegauploadToolbar 2007-08-09 10:37 <REP> d-------- C:\VundoFix Backups 2007-08-07 11:27 <REP> d-------- C:\Program Files\The Cleaner 2007-08-06 14:45 <REP> d-------- C:\Program Files\Lavasoft 2007-08-06 14:45 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-06 14:44 <REP> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-06 09:11 <REP> d-------- C:\Program Files\RegCleaner 2007-08-03 12:49 <REP> d-------- C:\pps 2007-07-25 12:04 <REP> d-------- C:\Program Files\PhotoFiltre 2007-07-25 10:29 <REP> d-------- C:\DOCUME~1\janeau\A4902Logs 2007-07-23 10:57 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\vlc 2007-07-23 09:29 <REP> d-------- C:\Program Files\VideoLAN 2007-07-16 16:09 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\Alcatel PIMphony 2007-07-16 15:48 <REP> d-------- C:\Program Files\Nice Recorder 2007-07-16 15:43 <REP> d-------- C:\Program Files\FuzLez 2007-07-16 15:43 <REP> d-------- C:\DOCUME~1\janeau\APPLIC~1\FuzLez 2007-07-16 15:40 <REP> d-------- C:\My Recordings 2007-07-16 15:39 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-07-16 14:41 <REP> d-------- C:\Program Files\Audacity (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-14 11:47 --------- d-------- C:\Program Files\mIRC 2007-08-14 07:27 --------- d-------- C:\Program Files\Alcatel_PIMphony 2007-08-13 16:45 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-08-10 08:23 --------- d-------- C:\Program Files\MSN Messenger 2007-08-08 16:32 --------- d-------- C:\Program Files\Bonjour 2007-08-07 15:22 0 --a------ C:\CONFIG.SYS 2007-08-07 15:22 0 --a------ C:\AUTOEXEC.BAT 2007-08-06 13:31 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe 2007-08-06 13:31 14336 --a------ C:\WINDOWS\system32\svchost.exe 2007-07-25 11:39 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\gtk-2.0 2007-07-23 12:58 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\U3 2007-07-13 15:04 --------- d-------- C:\Program Files\Cain 2007-07-13 13:19 39424 --a------ C:\WINDOWS\zipinst.exe 2007-07-13 13:19 --------- d-------- C:\Program Files\MessenPass 2007-07-11 14:52 3888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS 2007-07-02 09:06 --------- d-------- C:\Program Files\Webshots 2007-07-02 09:06 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\Webshots 2007-07-02 08:33 74752 --a------ C:\WINDOWS\ST6UNST.EXE 2007-07-02 08:33 290816 --------- C:\WINDOWS\Setup1.exe 2007-07-02 08:33 --------- d-------- C:\Program Files\SwitchWallPaper 2007-06-29 10:17 --------- d-------- C:\Program Files\MSN Pictures Displayer 2007-06-29 09:56 446976 --a------ C:\WINDOWS\system32\ShellMPD.dll 2007-06-29 09:56 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\MSN Pictures Displayer 2007-06-28 14:09 --------- d-------- C:\Program Files\PSPad editor 2007-06-28 14:09 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\WaterProof 2007-06-28 14:08 --------- d-------- C:\Program Files\WaterProof 2007-06-27 10:38 --------- d-------- C:\Program Files\Look@LAN 2007-06-27 10:32 720896 --a------ C:\WINDOWS\iun6002.exe 2007-06-26 14:40 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\X-Chat 2 2007-06-21 12:05 --------- d-------- C:\Program Files\InstantTimeZone 2007-06-20 08:23 45 ---h----- C:\WINDOWS\dsez2661.dat 2007-06-19 08:45 --------- d-------- C:\DOCUME~1\janeau\APPLIC~1\ICAClient 2007-06-19 08:32 --------- d-------- C:\Program Files\Citrix ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8C729FD-9C9F-4D53-A419-EC5101ED52AF}] C:\WINDOWS\system32\geede.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-09-30 15:41] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-09-30 15:37] "SetRefresh"="C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 18:01] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-31 15:46] "Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 05:20] "Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 05:20] "Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-05-07 05:20] "Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 05:20] "JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2000-09-28 19:52] "MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09] "WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2004-06-20 20:45] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21] "Receiver"="C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe" [2004-11-12 10:28] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-15 16:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09] "PerSonoCall"="C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" [2004-12-09 11:03] C:\Documents and Settings\janeau\Start Menu\Programs\Startup\ Lotus Notes 6.5.lnk - C:\Program Files\lotus\notes\notes.exe [2004-09-15 05:39:00] MSN Pictures Displayer.lnk - C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe [2007-06-29 09:56:23] PIMphony.lnk - C:\Program Files\Alcatel_PIMphony\aocphone.exe [2007-05-16 09:11:24] Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-07-02 09:06:53] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ InstantTimeZone.lnk - C:\Program Files\InstantTimeZone\InstantTimeZone.exe [2006-09-03 02:39:36] Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] Launcher400.LNK - C:\applics\Launcher400\LNCsrv.exe [2005-09-06 17:16:43] Windows Live Messenger.lnk - C:\WINDOWS\Installer\{F6326B60-1B1D-4ABF-BFCD-7B7404F44411}\MsblIco.Exe [2007-07-06 09:22:06] R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys R2 ASANYs_nmc50;NMC50 Database;"c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe" -hvASANYs_nmc50 R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\System32\drivers\cpqdfw.sys R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\System32\drivers\cq_mem.sys R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\System32\drivers\cqcpu.sys R2 hardlock;hardlock;\??\C:\WINDOWS\system32\drivers\hardlock.sys R2 slapd-4760;Sun ONE Directory Server 5.2 (4760);c:\4760\Netscape\server5/bin/slapd/server/ns-slapd.exe R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe R2 svc_mgr;NMC Service Manager;"c:\4760\bin\svc_mgr.exe" R3 AlarmServer;NMC Alarm server;"c:\4760\bin\FaultManager.exe" R3 Cmisd;NMC CMISE server;"c:\4760\bin\cmisd.exe" R3 ComServer;NMC Communication Server;"c:\4760\bin\ComServer.exe" R3 ExecdEx;NMC executables launcher;"c:\4760\bin\ExecdEx.exe" R3 Extractor;NMC extractor;"c:\4760\bin\extractor.exe" R3 GCSAdmin;NMC GCS administration server;"c:\4760\bin\GCSAdmin.exe" R3 GCSConfig;NMC GCS config server;"c:\4760\bin\GCSConfig.exe" R3 LicenseServer;NMC License server;"c:\4760\bin\LicenseServer.exe" R3 Loader;NMC Loader;"c:\4760\bin\loader.exe" R3 NotifyService;ORBacus Notify Service;"c:\4760\bin\ns_service.exe" R3 SaveRestore;NMC Save/Restore;"c:\4760\bin\save_restore.exe" R3 Scheduler;NMC Scheduler;"c:\4760\bin\scheduler.exe" R3 SecurityServer;NMC Security Server;"c:\4760\bin\SecurityServer.exe" R3 SyncLdapPbx;NMC Pbx/Ldap synchronization;"c:\4760\bin\SyncLdapPbx.exe" S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys S3 ServiceOMC;ServiceOMC;C:\WINDOWS\system32\ServiceOMC.exe S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\Kelio\autorun\autorun.exe *Newly Created Service* - ALARMSERVER *Newly Created Service* - APACHE *Newly Created Service* - CMISD *Newly Created Service* - COMSERVER *Newly Created Service* - EXECDEX *Newly Created Service* - EXTRACTOR *Newly Created Service* - GCSADMIN *Newly Created Service* - GCSCONFIG *Newly Created Service* - LICENSESERVER *Newly Created Service* - LOADER *Newly Created Service* - NOTIFYSERVICE *Newly Created Service* - SAVERESTORE *Newly Created Service* - SCHEDULER *Newly Created Service* - SECURITYSERVER *Newly Created Service* - SYNCLDAPPBX ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-14 12:10:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\admin52-serv] "ImagePath"="c:/4760/Netscape/server5/bin/https/bin/ns-httpd.exe" Completion time: 2007-08-14 12:11:04 C:\ComboFix-quarantined-files.txt ... 2007-08-14 12:10 C:\ComboFix2.txt ... 2007-08-10 09:18 --- E O F ---


Tata :)
0
Answer 10 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Hello,

Go to the site https://virusscan.jotti.org/
- Click at the top right on "Browse", navigate through the folders and select this file: C:\WINDOWS\iun6002.exe
- Click on submit still at the top right
- The scan will start, it will take a little moment
- At the bottom, you have the scan result, copy/paste the complete scan result here.
Help: https://www.malekal.com/scan-antivirus-ligne-nod32/#mozTocId662799

And restart Vundofix. Copy paste the report.
Also upload a HijackThis.

Let me know how your issues are progressing.

See you later
--
"One of the best ways to help someone is to give them responsibilities and make them feel...
0
Answer 11 / 18
CurLy64 Posted messages 71 Status Member 4
 
No need for a log in my opinion, it didn't find anything :)

For the past 2/3 days, I haven't had any alerts, no lag, in short, it looks like it's settled.

Thank you very much for your help Regis59, you're the best ;)
0
Answer 12 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Hi

We might as well finish the work, right? Make sure everything is okay?

See you!
0
Answer 13 / 18
CurLy64 Posted messages 71 Status Member 4
 
Hi,

Well, as you wish, here’s a fresh new HiJackThis log from this morning :) 

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 09:35, on 2007-08-20 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\4760\Netscape\server5\bin\https\bin\ns-httpd.exe c:\4760\Netscape\server5\bin\https\bin\httpd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Citrix\Client ICA\ssonsvr.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\UltraVNC\WinVNC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\InstantTimeZone\InstantTimeZone.exe C:\applics\Launcher400\LNCsrv.exe C:\applics\Launcher400\LNCadm.exe C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe C:\Program Files\Alcatel_PIMphony\aocphone.exe C:\Program Files\Webshots\webshots.scr C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\rsvp.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Alcatel_PIMphony\UAProc.exe C:\Program Files\Alcatel_PIMphony\abers.exe C:\WINDOWS\system32\WISPTIS.EXE c:\4760\Netscape\server5\bin\slapd\server\ns-slapd.exe c:\4760\Netscape\server5\bin\slapd\server\slapd.exe c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe c:\4760\bin\svc_mgr.exe c:\4760\apache2\bin\apache.exe C:\4760\apache2\bin\apache.exe c:\4760\bin\ExecdEx.exe c:\4760\bin\extractor.exe c:\4760\bin\LicenseServer.exe c:\4760\bin\save_restore.exe c:\4760\bin\scheduler.exe c:\4760\bin\SecurityServer.exe c:\4760\bin\ns_service.exe c:\4760\bin\ComServer.exe c:\4760\bin\cmisd.exe c:\4760\bin\FaultManager.exe c:\4760\bin\GCSAdmin.exe c:\4760\bin\GCSConfig.exe c:\4760\bin\loader.exe c:\4760\bin\SyncLdapPbx.exe C:\Program Files\lotus\notes\NLNOTES.EXE C:\Program Files\lotus\notes\ntaskldr.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\mIRC\mirc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\janeau\Bureau\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {C8C729FD-9C9F-4D53-A419-EC5101ED52AF} - C:\WINDOWS\system32\geede.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Receiver] C:\Program Files\SHARP\PCFAX2\PcfaxRcv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PerSonoCall] "C:\Program Files\Plantronics\PerSonoCall\PerSonoCall.exe" -nosplash O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Lotus Notes 6.5.lnk = C:\Program Files\lotus\notes\notes.exe O4 - Startup: MSN Pictures Displayer.lnk = C:\Program Files\MSN Pictures Displayer\MSN Pictures Displayer.exe O4 - Startup: PIMphony.lnk = ? O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: InstantTimeZone.lnk = C:\Program Files\InstantTimeZone\InstantTimeZone.exe O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Launcher400.LNK = C:\applics\Launcher400\LNCsrv.exe O4 - Global Startup: Windows Live Messenger.lnk = ? O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105936747789 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.groupama.nc O17 - HKLM\Software\..\Telephony: DomainName = intra.groupama.nc O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.groupama.nc O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.groupama.nc O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - c:/4760/Netscape/server5/bin/https/bin/ns-httpd.exe O23 - Service: NMC Alarm server (AlarmServer) - Unknown owner - c:\4760\bin\FaultManager.exe O23 - Service: Apache - Apache Software Foundation - c:\4760\apache2\bin\apache.exe O23 - Service: NMC50 Database (ASANYs_nmc50) - iAnywhere Solutions, Inc. - c:\Program Files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe O23 - Service: Service Bonjour (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: NMC CMISE server (Cmisd) - Unknown owner - c:\4760\bin\cmisd.exe O23 - Service: NMC Communication Server (ComServer) - Unknown owner - c:\4760\bin\ComServer.exe O23 - Service: Fonction Commande à distance d'iSeries Access for Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: NMC executables launcher (ExecdEx) - Unknown owner - c:\4760\bin\ExecdEx.exe O23 - Service: NMC extractor (Extractor) - Unknown owner - c:\4760\bin\extractor.exe O23 - Service: NMC GCS administration server (GCSAdmin) - Unknown owner - c:\4760\bin\GCSAdmin.exe O23 - Service: NMC GCS config server (GCSConfig) - Unknown owner - c:\4760\bin\GCSConfig.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMC License server (LicenseServer) - Unknown owner - c:\4760\bin\LicenseServer.exe O23 - Service: NMC Loader (Loader) - Unknown owner - c:\4760\bin\loader.exe O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: ORBacus Notify Service (NotifyService) - Unknown owner - c:\4760\bin\ns_service.exe O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe O23 - Service: NMC Save/Restore (SaveRestore) - Unknown owner - c:\4760\bin\save_restore.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: NMC Scheduler (Scheduler) - Unknown owner - c:\4760\bin\scheduler.exe O23 - Service: NMC Security Server (SecurityServer) - Unknown owner - c:\4760\bin\SecurityServer.exe O23 - Service: ServiceOMC - Unknown owner - C:\WINDOWS\system32\ServiceOMC.exe O23 - Service: Sun ONE Directory Server 5.2 (4760) (slapd-4760) - Unknown owner - c:\4760\Netscape\server5/bin/slapd/server/ns-slapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: NMC Service Manager (svc_mgr) - Unknown owner - c:\4760\bin\svc_mgr.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NMC Pbx/Ldap synchronization (SyncLdapPbx) - Unknown owner - c:\4760\bin\SyncLdapPbx.exe O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\System32\tlntsvr.exe O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe -- End of file - 12430 bytes


Bye !
--
sfc.olympe-network.com
0
Answer 14 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Hi

It's a desktop PC, isn't it?

¤ Relaunch HijackThis, check the boxes next to these lines and then click on fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {C8C729FD-9C9F-4D53-A419-EC5101ED52AF} - C:\WINDOWS\system32\geede.dll (file missing)

Close HijackThis.

See you!
0
Answer 15 / 18
CurLy64 Posted messages 71 Status Member 4
 
Hello Regis,

Yes, it's a desktop PC, I'll fix all that, thanks :)
--
sfc.olympe-network.com
0
Answer 16 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
Okay,

How are your troubles doing?

See you later.
0
Answer 17 / 18
CurLy64 Posted messages 71 Status Member 4
 
There's no more, thanks to your help :)

Thank you very much :)

--
sfc.olympe-network.com
0
Answer 18 / 18
Regis59 Posted messages 21143 Registration date   Status Security Contributor Last intervention   1 349
 
You're welcome,

Have a good evening
0