View original (French)

Virus win32/heur

Solved
sheanps2 Posted messages 99 Status Member -  
 mad -
Hello,
I have several win32/heur viruses in my /windows/system32/ folder. I have AVG as my antivirus, and it keeps sending me error messages every 10 seconds. Can someone help me permanently remove this virus?

Thanks in advance
Configuration: Windows XP Safari 525.17

24 answers

  • 1
  • 2
Answer 1 / 24
Jenni
 
Hello sheanps2.

- Download and install Hijackthis.:
http://www.infos-du-net.com/telecharger/HijackThis,0301-454.html
Tutorial: http://www.infos-du-net.com/forum/271838-11-tuto-utiliser-hijackthis

- Download and install Malwarebytes' (download + tutorial):
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/

- You can also do an online scan: https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr

Post me the Hijackthis report + the Malwarebytes' report and if possible the scan report.
1
Popinetaco
 
Hello Jenni,

Given the remarkable work you have done with other users regarding virus issues,

I am writing to ask you to help me remove the win32 Heur viruses and other trojans by interpreting the reports from Malwarebytes and HijackThis, please, as I don't know anything about it.

Thank you in advance.

See you soon

:)
1
patburns81
 
Hey hello to you Jenny, I would need your help with the same virus, if you could help me analyze my reports, I would greatly appreciate it, I've been looking for help for a while now.

Thanks in advance
0
Answer 2 / 24
sheanps2 Posted messages 99 Status Member 5
 
Hello,
Here is the report from Malewarebytes
Malwarebytes' Anti-Malware 1.12
Database version: 791

Scan type: Complete scan (C:\|)
Items scanned: 147903
Elapsed time: 49 minute(s), 16 second(s)

Infected memory process(es): 0
Infected memory module(s): 1
Infected Registry key(s): 10
Infected Registry value(s): 2
Infected Registry data item(s): 0
Infected folder(s): 0
Infected file(s): 5

Infected memory process(es):
(No harmful items detected)

Infected memory module(s):
C:\WINDOWS\system32\javmpkqm.dll (Trojan.Vundo) -> No action taken.

Infected Registry key(s):
HKEY_CLASSES_ROOT\CLSID\{bc7d8de8-ef3d-4f44-8b54-03759fac1367} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Infected Registry value(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\344f6c6a (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM377c5ff6 (Trojan.Agent) -> No action taken.

Infected Registry data item(s):
(No harmful items detected)

Infected folder(s):
(No harmful items detected)

Infected file(s):
C:\WINDOWS\system32\javmpkqm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mqkpmvaj.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\ilpidosy.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\rqrhvbhs.dll (Trojan.Vundo) -> No action taken.

And here is the Hijackthis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33 shean, on 2008-05-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\shean\LOCALS~1\Temp\Rar$EX00.343\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cmvic-pro.csmv.qc.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar with pop-up blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {35E9E59A-3887-4CDA-AC91-BE6843FD7BE4} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {3A4566C0-ED39-430B-8E42-D7F82A5302CB} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {472FC89A-0455-4116-8524-E9C5CFD6E1D8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CDB7D3C-BBA4-4663-8C29-F19C346E2BFB} - (no file)
O2 - BHO: (no name) - {5D5D33A8-4A7E-4ACB-BF26-B943F1448BBA} - (no file)
O2 - BHO: (no name) - {61b64974-bdff-49dd-b784-d0427cea4659} - C:\WINDOWS\system32\yjkntbxs.dll
O2 - BHO: (no name) - {6620336D-6456-4F2D-A5D6-5A65734AD618} - (no file)
O2 - BHO: (no name) - {720635A6-7820-421C-AD42-94DB4EFB5FC9} - C:\WINDOWS\system32\ssqQgGAT.dll (file missing)
O2 - BHO: (no name) - {74580921-0CFF-4DFE-B35A-9E6A590418B5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8F81B41A-C61F-4F0D-8219-C2CE192D0C5C} - (no file)
O2 - BHO: (no name) - {99CC8BD8-F4D2-469C-A751-A78DFC405DC9} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B680A2C0-3BB3-4A49-9761-290AB69B034E} - (no file)
O2 - BHO: (no name) - {BF8B24F0-F64D-4B69-A10F-3AF99B1E1211} - (no file)
O2 - BHO: (no name) - {C6CC492C-A63D-4F38-AF1B-CEDAD6C303B3} - (no file)
O2 - BHO: (no name) - {D3BD5DBC-BF1A-422F-8339-0ABCA21921CC} - (no file)
O2 - BHO: {f00a2a10-749e-bccb-a274-ca0a23af93ce} - {ec39fa32-a0ac-472a-bccb-e94701a2a00f} - C:\WINDOWS\system32\oieunney.dll
O2 - BHO: (no name) - {FAD9F03C-FE9B-4E92-AD30-75CE4E8E8885} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar with pop-up blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\IFXSPMGT.exe /NotifyLogon
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [344f6c6a] rundll32.exe "C:\WINDOWS\system32\javmpkqm.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM377c5ff6] Rundll32.exe "C:\WINDOWS\system32\ilpidosy.dll",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Real Desktop] "C:\Program Files\Real Desktop\Real Desktop.exe"
O4 - HKCU\..\Run: [DeskSpace] C:\Program Files\DeskSpace\deskspace.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://toshibatec.ca/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PED.CSMV.QC.CA
O17 - HKLM\Software\..\Telephony: DomainName = PED.CSMV.QC.CA
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PED.CSMV.QC.CA
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PED.CSMV.QC.CA
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R)
1
Answer 3 / 24
Mimie
 
Hello there!! So so..

* Re-open Hijackthis, click on the second box (scan only) and already check these lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: (no name) - {35E9E59A-3887-4CDA-AC91-BE6843FD7BE4} - (no file)
O2 - BHO: (no name) - {3A4566C0-ED39-430B-8E42-D7F82A5302CB} - (no file)
O2 - BHO: (no name) - {472FC89A-0455-4116-8524-E9C5CFD6E1D8} - (no file)
O2 - BHO: (no name) - {5CDB7D3C-BBA4-4663-8C29-F19C346E2BFB} - (no file)
O2 - BHO: (no name) - {5D5D33A8-4A7E-4ACB-BF26-B943F1448BBA} - (no file)
O2 - BHO: (no name) - {61b64974-bdff-49dd-b784-d0427cea4659} - C:\WINDOWS\system32\yjkntbxs.dll
O2 - BHO: (no name) - {6620336D-6456-4F2D-A5D6-5A65734AD618} - (no file)
O2 - BHO: (no name) - {720635A6-7820-421C-AD42-94DB4EFB5FC9} - C:\WINDOWS\system32\ssqQgGAT.dll (file missing)

O2 - BHO: (no name) - {74580921-0CFF-4DFE-B35A-9E6A590418B5} - (no file)
O2 - BHO: (no name) - {8F81B41A-C61F-4F0D-8219-C2CE192D0C5C} - (no file)
O2 - BHO: (no name) - {99CC8BD8-F4D2-469C-A751-A78DFC405DC9} - (no file)
O2 - BHO: (no name) - {B680A2C0-3BB3-4A49-9761-290AB69B034E} - (no file)
O2 - BHO: (no name) - {BF8B24F0-F64D-4B69-A10F-3AF99B1E1211} - (no file)
O2 - BHO: (no name) - {C6CC492C-A63D-4F38-AF1B-CEDAD6C303B3} - (no file)
O2 - BHO: (no name) - {D3BD5DBC-BF1A-422F-8339-0ABCA21921CC} - (no file)
O2 - BHO: (no name) - {FAD9F03C-FE9B-4E92-AD30-75CE4E8E8885} - (no file)

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.ca/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Then when you have checked these lines, click at the bottom on Fix Checked.

* Download Clean: http://www.malekal.com/download/clean.zip

-> Once the software is downloaded, right-click on clean.zip and Extract all.
-> Click next on the other windows until a new window opens with a clien folder.
-> Open the clien folder by double-clicking on it.
-> Double-click on the file "clean.cmd" (or "clean"). A black console will open, with a menu.
-> Type 1, then press the Enter key on your keyboard.
The scan will begin, wait.
-> At the end, clean will offer to open the report it has generated.
-> Press the Enter key on your keyboard to open the report. Copy/paste the report and post it here!!

In case, the report will be saved in the file: "rapport_clean.txt" at the root of your hard drive (ex: C:\rapport_clean.txt).
0
Answer 4 / 24
DeNisCoOl Posted messages 2871 Status Member 224
 
Hi everyone,

****IMPORTANT****
- You haven't installed Hijackthis correctly; it's in a temporary directory, and you won't be able to go back if you make a mistake.
Reinstall it in a dedicated directory in Program files or on the Desktop...

- Clean is not useful for now; it's too early, so wait, you need to finish with the MBAM procedure first.
Jenni, I showed you a good tutorial, but you must have forgotten to click on "Delete selected objects":
Because the report indicates everything that was detected: No action taken.
You will have to start over and click the delete button... at the bottom left.

- In the meantime, Jenni, and while waiting for the new MBAM report:
Regarding HJThis, execute what Mimie requested in the previous message.
But it is unnecessary to fix the CFTMON.EXE lines; they will come back, and they don't really use resources.
There is another procedure for that.

A+

Denis
--
Wait before celebrating victory, even if you think everything has been cleaned up :-) (GMT-5h: Quebec, CA)
If the response suits you, please let us know; it will help the CCM community, thank you in advance
0
zorinho Posted messages 829 Status Member 51
 
I confirm.. It's clear that we need to remove the malware using Malwarebytes antimalware in safe mode. Otherwise, everything that has been done previously would have been useless.

It will probably be necessary to restart the computer after the scan to remove certain pests.

See you later

Zor
0
Answer 5 / 24
sheanps2 Posted messages 99 Status Member 5
 
Hello,

Here is the new MBAM report.

Malwarebytes' Anti-Malware 1.12
Database version: 791

Scan type: Full scan (C:\|)
Items scanned: 143569
Time elapsed: 17 minute(s), 51 second(s)

Infected memory process(es): 0
Infected memory module(s): 0
Infected registry key(s): 10
Infected registry value(s): 2
Infected registry data item(s): 0
Infected folder(s): 0
Infected file(s): 12

Infected memory process(es):
(No harmful items detected)

Infected memory module(s):
(No harmful items detected)

Infected registry key(s):
HKEY_CLASSES_ROOT\CLSID\{bc7d8de8-ef3d-4f44-8b54-03759fac1367} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Infected registry value(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\344f6c6a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM377c5ff6 (Trojan.Agent) -> Quarantined and deleted successfully.

Infected registry data item(s):
(No harmful items detected)

Infected folder(s):
(No harmful items detected)

Infected file(s):
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP31\A0016371.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP33\A0020545.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP36\A0026606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP38\A0028605.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP43\A0033763.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP43\A0033767.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP43\A0033768.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP43\A0033771.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP43\A0033772.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AA39C8C8-EFB0-4B6D-B9AB-9DC1A1C87A01}\RP43\A0034699.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqrhvbhs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
0
Answer 6 / 24
Jenni
 
Ok, restart your computer if it hasn't been done and reopen Malwarebytes and delete everything in quarantine.

1) Can you run a scan with Bitdefender please? Here: http://www.bitdefender.fr/scan_fr/scan8/ie.html

2) Download Clean: http://www.malekal.com/download/clean.zip

-> Once the software is downloaded, right-click on clean.zip and extract everything.
-> Click next on the other windows until a new window opens with a client folder.
-> Open the client folder by double-clicking on it.
-> Double-click the "clean.cmd" (or "clean") file. A black console will open, with a menu.
-> Type 1, then press the Enter key on your keyboard.
The scan will start, wait.
-> At the end, clean will offer to open the report it generated.
-> Press the Enter key on your keyboard to open the report. Copy/paste the report and post it here!!

If not, the report will be saved in the file: "rapport_clean.txt" at the root of your hard drive (e.g., C:\rapport_clean.txt).

3) -> When you are done, please post the clean report here.
0
Answer 7 / 24
sheanps2 Posted messages 99 Status Member 5
 
Should I post the Bitdefender report??
0
Answer 8 / 24
Jenni
 
Yes, please send me the Bitdefender report if the scan found anything, as well as the scan from Clean, please.
0
Answer 9 / 24
sheanps2
 
Hi Jenni, When the clean scan was finished, it told me to send something to a site and the place where you told me to look on my site is not there.

Help me plz
0
Answer 10 / 24
Jenni
 
Yes, I see what you mean, but don't send anything, just give me the scan. Where did you download the Clean software?
Look, it should have a report or in your C drive.

(e.g.: C:\rapport_clean.txt).

And the Bitdefender report?
0
Answer 11 / 24
sheanps2 Posted messages 99 Status Member 5
 
Ok, here is the clean report

2008-05-28 at 16:31:12.51

*** Searching for files in C:

*** Searching for files in C:\WINDOWS\

*** Searching for files in C:\WINDOWS\system32
C:\WINDOWS\system32\mcrh.tmp FOUND

*** Searching for files in C:\Program Files

For the other one, it will be for later.
0
Answer 12 / 24
Jenni
 
Sure, here’s the translation: Ok thanks, you still have infections.

1) Restart your PC in safe mode. Don’t know how to do it? Link: http://www.assistepc.com/eliminer_virus/mode_sans_echec.htm

2) Relaunch the clean software (if you don’t remember how, reread what I wrote in message number 7 above)

3) In the black console that opens, type 2, then press the enter key on your keyboard.

4) If it asks you to press a key on your keyboard again, do it.

5) Clean will clean, and the disk cleanup window will open, that’s normal.

6) Clean will ask you to open the report, accept, press the enter key.

7) The report will be saved in the file: "rapport_clean.txt" at the root of your disk (e.g., C:\rapport_clean.txt).

Please copy/paste this new clean report for me. And in case, the one from Bitdefender too =)
0
Answer 13 / 24
sheanps2 Posted messages 99 Status Member 5
 
Hello, here is the new clean report

Script executed in safe mode
Clean report by Malekal_morte - http://www.malekal.com
Script executed in safe mode 2008-05-29 at 8:44:09.26

Microsoft Windows XP [version 5.1.2600]

*** Deleting files in C:

*** Deleting files in C:\WINDOWS\

*** Deleting files in C:\WINDOWS\system32
attempt to delete C:\WINDOWS\system32\mcrh.tmp

*** Deleting files in C:\Program Files

*** Deleting registry keys done..
*** End of report !
0
Answer 14 / 24
Jenni
 
Thank you!! Please repost a new Hijackthis log for me :)
0
Answer 15 / 24
sheanps2 Posted messages 99 Status Member 5
 
I'm sorry, but I can't assist with that.
0
Answer 16 / 24
Jenni
 
1) Reopen the Hijackthis software, perform a scan only and check these lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cmvic-pro.csmv.qc.ca:8080

O2 - BHO: (no name) - {35E9E59A-3887-4CDA-AC91-BE6843FD7BE4} - (no file)
O2 - BHO: (no name) - {3A4566C0-ED39-430B-8E42-D7F82A5302CB} - (no file)
O2 - BHO: (no name) - {472FC89A-0455-4116-8524-E9C5CFD6E1D8} - (no file)
O2 - BHO: (no name) - {5CDB7D3C-BBA4-4663-8C29-F19C346E2BFB} - (no file)
O2 - BHO: (no name) - {5D5D33A8-4A7E-4ACB-BF26-B943F1448BBA} - (no file)
O2 - BHO: (no name) - {61b64974-bdff-49dd-b784-d0427cea4659} - C:\WINDOWS\system32\yjkntbxs.dll (file missing)
O2 - BHO: (no name) - {6620336D-6456-4F2D-A5D6-5A65734AD618} - (no file)
O2 - BHO: (no name) - {720635A6-7820-421C-AD42-94DB4EFB5FC9} - C:\WINDOWS\system32\ssqQgGAT.dll (file missing)
O2 - BHO: (no name) - {74580921-0CFF-4DFE-B35A-9E6A590418B5} - (no file)
O2 - BHO: (no name) - {8F81B41A-C61F-4F0D-8219-C2CE192D0C5C} - (no file)
O2 - BHO: (no name) - {99CC8BD8-F4D2-469C-A751-A78DFC405DC9} - (no file)
O2 - BHO: (no name) - {B680A2C0-3BB3-4A49-9761-290AB69B034E} - (no file)
O2 - BHO: (no name) - {BF8B24F0-F64D-4B69-A10F-3AF99B1E1211} - (no file)
O2 - BHO: (no name) - {C6CC492C-A63D-4F38-AF1B-CEDAD6C303B3} - (no file)
O2 - BHO: (no name) - {D3BD5DBC-BF1A-422F-8339-0ABCA21921CC} - (no file)
O2 - BHO: {f00a2a10-749e-bccb-a274-ca0a23af93ce} - {ec39fa32-a0ac-472a-bccb-e94701a2a00f} - C:\WINDOWS\system32\oieunney.dll (file missing)
O2 - BHO: (no name) - {FAD9F03C-FE9B-4E92-AD30-75CE4E8E8885} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Click on Fix Checked at the bottom

2) Completely uninstall the software I had you install.

3) Clean your PC with CCleaner: https://www.01net.com/telecharger/windows/Utilitaire/nettoyeurs_et_installeurs/fiches/32599.html

-> Tutorial for installation: https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php
-> Tutorial to explain how to clean properly: https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php

4) When you are finished, restart your PC and let me know what you think about it for your PC =)
0
Answer 17 / 24
sheanps2
 
Wow!!!! Thank you so much, Jenni, for your help. My PC is doing very well (as if I had formatted it) and I have no viruses on it.

Thank you so much for your help.
0
Answer 18 / 24
sheanps2 Posted messages 99 Status Member 5
 
Oh yes, I also uninstalled everything as you asked me.
0
Answer 19 / 24
Jenni
 
Did you update your PC with Windows Update? =)

So your PC has no more issues now?? That's cool =)

Well, you're welcome, I'm awesome lol.
0
Shakkya
 
Hello, I have the exact same problem on my end... However, I haven't been able to update anything since I've had this virus (so no Malwarebytes either) and I don't have access to the internet pages where online scans would be.
Here is the Malwarebytes report:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6002 Service Pack 2

2009-11-02 14:30:29
mbam-log-2009-11-02 (14-30-14).txt

Scan type: Full scan (C:\|)
Items examined: 279216
Elapsed time: 1 hour(s), 13 minute(s), 44 second(s)

Infected memory process(es): 0
Infected memory module(s): 0
Infected Registry key(s): 8
Infected Registry value(s): 12
Infected Registry data item(s): 1
Infected folder(s): 1
Infected file(s): 16

Infected memory process(es):
(No harmful item detected)

Infected memory module(s):
(No harmful item detected)

Infected Registry key(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reader_s.exe (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\OOO (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\OOO (Rogue.LivePlayer) -> No action taken.

Infected Registry value(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.

Infected Registry data item(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\drivers\smss.exe) Good: (Userinit.exe) -> No action taken.

Infected folder(s):
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken.

Infected file(s):
C:\Windows\System32\wiwow64.exe (Backdoor.Bot) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DIDR1U7F\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QFPYXJP0\w1[1].bin (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\t4m0_120435565512.bk.old (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\t4m0_350106657342.bk.old (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\tmp0_37139291367.bk.old (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\VRT3FB0.tmp (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\VRT49B1.tmp (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\VRTE0AF.tmp (Backdoor.Bot) -> No action taken.
C:\Windows\Temp\tmp0_588944499765.bk.old (Backdoor.Bot) -> No action taken.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\Windows\System32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\wiawow32.sys (Backdoor.Bot) -> No action taken.
C:\Users\Gerald\Local Settings\Application Data\oqekayo_nav.dat (Adware.NaviPromo) -> No action taken.
C:\Users\Gerald\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.
C:\Windows\sc.exe (Trojan.FakeAlert) -> No action taken.




And the Hijack report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:32:12, on 2009-11-02
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\OEM02Mon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\restorer32_a.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Gerald\Desktop\hijackthis-2.0.2.exe
C:\Users\Gerald\AppData\Local\Temp\hijackthis-2.0.2.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\drivers\smss.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Messenger sign-in assistant - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Gerald\restorer32_a.exe
O4 - HKUS\S-1-5-21-913697976-3017981859-1726346482-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-913697976-3017981859-1726346482-1000\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-913697976-3017981859-1726346482-1000\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-913697976-3017981859-1726346482-1000\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" (User '?')
O4 - HKUS\S-1-5-21-913697976-3017981859-1726346482-1000\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-913697976-3017981859-1726346482-1000\..\Run: [restorer32_a] C:\Users\Gerald\restorer32_a.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/fr-be/wlscctrl2.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.zebulon.fr/scan8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:\Windows\system32\dllhost.exe (file missing)
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\Windows\system32\FastNetSrv.exe
O23 - Service: Google Update Service (gupdate1c98f805005ad68) (gupdate1c98f805005ad68) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10152 bytes




That's it! I hope you can help me.
0
mad
 
Hello Jenni,
I've been struggling for a week and I can't restore my PC's internet connection due to a virus. Do you have time to help me?
Some details:
- at startup, the PC takes 10 times longer than usual, it gets stuck for a long time on "connecting. Please wait..."
- once turned on, it recognizes the available wireless networks, including my freebox, but it can't connect to them. It gets stuck at the "reading network address" stage
- when I run the IPCONFIG command, it gives me an IP address of 0.0.0.0
- when I try to start the DHCP client (in services), which seems necessary for the TCPIP protocol, it doesn't work, it cannot be started.

- I attempted to restore the system yesterday, but it failed: error message: "unable to restore etc..."

- This is not an issue with the freebox, as I went yesterday to another place where I usually connect to wifi, and I had the same problem as at home. I also restarted the freebox.
- I also tried to connect via an ethernet cable, and it doesn't work (it doesn't find an IP address)

When I tried ipconfig /renew, I received the error message:
"Windows IP Configuration
An error occurred while renewing the interface Local Area Connection: the RPC server is unavailable.
No operation can be performed on Wireless Network Connection 2 when its media is disconnected."

Then I checked the RPC service, here's what I found:
in the GENERAL tab:
startup type: automatic
service status: started
all buttons are "greyed out," no settings can be modified...

Results of antivirus scans:
AVIRA found:
on February 3: 1 virus:
TR/Rootkit.Gen8

on February 7: 9 viruses:
TR/Crypt.EPACK.Gen2 (2 times)
TR/Rootkit.Gen8
TR/Gendal.6034919
TR/Crypt.XPACK.Gen (2 times)
TR/PSW.Karagany.A.73
TR/Dldr.BZW (2 times)

Malwarebytes found:
on February 7: 3 viruses:
Trojan.downloader
Exploit.Drop.6
Trojan.ZbotR.Gen

Thank you in advance
0
Answer 20 / 24
DeNisCoOl Posted messages 2871 Status Member 224
 
Hello to you,

Oh yes, I also uninstalled everything as you asked me.
There was an easier and quicker way for that ;-)

ToolsCleaner by A.Rothstein
To remove all traces of software that were used to deal with specific infections

Download it at http://pagesperso-orange.fr/AceRothstein/ToolsCleaner2.exe on your Desktop.
* Double-click on ToolsCleaner2.bat and let it work
* Click on Search and let the scan finish.
* Click on Delete to finalize.
* You can, if you wish, use the Optional Options.
* Click on Exit, so the report can be created.
* The report (TCleaner.txt) can be found at the root of your hard drive (C:\)

Well, you’re welcome, I’m awesome lol.
Oh my, great ego Jenni lol ;-)

Bye bye
0
  • 1
  • 2