View original (French)

Win32:Adware-gen [Adw]

Solved/Closed
nico -  
 nico -
Good evening, it's late and I don't know what to do! Indeed, Avast is indicating that my PC is infected with a file "Win32:Adware-gen [Adw]"... I'm a total novice when it comes to removing viruses, and a simple "delete" unfortunately isn't enough!
I admit that I'm extremely stressed by this attack (I'm shaking!). I don't know exactly what I'm at risk for and, above all, how to get rid of this crap! I'm eagerly waiting for your help and if I manage to close my eyes, that would be great...
Thank you in advance for everything.
Configuration: Windows XP Internet Explorer 7.0

34 answers

  • 1
  • 2
Answer 1 / 34
verni29 Posted messages 6805 Status Security Contributor 180
 
Hello,

Rest assured. THIS VIRUS IS A FALSE POSITIVE.

http://www.secuser.com/alertes/2006/vbsmalware.htm

It is not a virus.

You can mark the issue as resolved, please.

Bye.
0
nicoi
 
I clicked on your link and read the webpage, even though I find it didn't relate to my virus, I still updated my virus database. Trying to quarantine and delete this file again doesn't change anything... Thanks anyway for trying!
0
Answer 2 / 34
nico (up !)
 
I surfed a bit everywhere and given my level, what is said to be done does not reassure me, but I prefer to wait for someone to tell me exactly what to do for my problem... I don't know if this can help move things forward, but I just made a Hijackthis report to try to save time. Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:31:13, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\system32\lphc3rnj0ecfn.exe
C:\Program Files\rhc7rnj0ecfn\rhc7rnj0ecfn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\Adsl Software Ltd\WinSpywareProtect\Winspywareprotect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [lphc3rnj0ecfn] C:\WINDOWS\system32\lphc3rnj0ecfn.exe
O4 - HKLM\..\Run: [SMrhc7rnj0ecfn] C:\Program Files\rhc7rnj0ecfn\rhc7rnj0ecfn.exe
O4 - HKLM\..\Run: [6cf62d0f] rundll32.exe "C:\WINDOWS\system32\qbqxtgew.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\Adsl Software Ltd\WinSpywareProtect\Winspywareprotect.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O9 - Extra 'Tools' menuitem: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9E72957-6E70-4334-AD37-B79C7ECEAB78}: NameServer = 81.253.149.9 80.10.246.132
O21 - SSODL: fdxbameg - {D27B5A0A-79ED-4EB5-97B9-4D2E4F4FCEF8} - C:\WINDOWS\fdxbameg.dll (file missing)
O21 - SSODL: fsrpknov - {6D39581C-2291-4004-AC8B-AD6D4B5B2ACE} - C:\WINDOWS\fsrpknov.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9172 bytes
0
verni29 Posted messages 6805 Status Security Contributor 180
 
Hello, Nico

You download MalwareBytes.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

You install it. Choose the default options.
At the end of the installation, you will be asked to update MalwareBytes and run it.
Only choose the update. The software will launch in safe mode.

You restart the computer in safe mode (press F8 after rebooting).
You choose your user account.

To launch MalwareBytes, double-click the desktop shortcut.

In the Scan tab, select Run a full scan.
Click on scan. You only select the hard drives of the computer.
Click on start the scan.

At the end of the scan, as requested, click on view the scan results.
Then choose Delete the selection to clean the infections.
You post the report in your next message.

A+
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
First of all, thank you for your help... here is the report:

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

15:46:24 10/07/2008
mbam-log-7-10-2008 (15-46-24).txt

Search type: Full scan (C:\|)
Items examined: 118745
Elapsed time: 1 hour(s), 9 minute(s), 4 second(s)

Infected memory process(es): 0
Infected memory module(s): 2
Infected Registry key(s): 15
Infected Registry value(s): 8
Infected Registry data item(s): 4
Infected folder(s): 30
Infected file(s): 50

Infected memory process(es):
(No harmful items detected)

Infected memory module(s):
C:\WINDOWS\system32\efcYSiHx.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\byXRlLEt.dll (Trojan.Vundo) -> Unloaded module successfully.

Infected Registry key(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbe9d38d-7516-4fa7-9a02-95de70670797} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dbe9d38d-7516-4fa7-9a02-95de70670797} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxrllet (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sqvgnrpx.bbst (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sqvgnrpx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Registry Defender (Rogue.Registry.Defender) -> Quarantined and deleted successfully.

Infected Registry value(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6cf62d0f (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc7rnj0ecfn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smshc5rnj0ecfn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winspywareprotect (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3rnj0ecfn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fdxbameg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fsrpknov (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infected Registry data item(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcysihx -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcysihx -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infected folder(s):
C:\Program Files\rhc7rnj0ecfn (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\rhc7rnj0ecfn\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\shc5rnj0ecfn\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Infected file(s):
C:\WINDOWS\system32\efcYSiHx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xHiSYcfe.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xHiSYcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nrigmffl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lffmgirn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXRlLEt.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\rhc7rnj0ecfn\rhc7rnj0ecfnSkin.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\Uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\Uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E23977DA-8BF1-4D35-81CA-2722B6B2FD16}\RP101\A0012786.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E23977DA-8BF1-4D35-81CA-2722B6B2FD16}\RP101\A0012792.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E23977DA-8BF1-4D35-81CA-2722B6B2FD16}\RP102\A0012986.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E23977DA-8BF1-4D35-81CA-2722B6B2FD16}\RP102\A0012997.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E23977DA-8BF1-4D35-81CA-2722B6B2FD16}\RP102\A0013005.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\erem.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqoNdbX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\rhc7rnj0ecfn.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc7rnj0ecfn\rhc7rnj0ecfn.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\shc5rnj0ecfn.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\shc5rnj0ecfn.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\shc5rnj0ecfn\shc5rnj0ecfnSkin.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\Winspywareprotect.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710032338750.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710142631093.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710142958781.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\gpefaowr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc3rnj0ecfn.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc3rnj0ecfn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc3rnj0ecfn.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicolas\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


ps: after performing the deletion as you advised, Malwarebytes opens a window informing me that some items could not be deleted and that they have been added to the "deletions on startup" list, and asks whether I want to restart my PC to complete the process. I think I will do it but I am waiting for confirmation and further advice for what to do next so that the PC is not "left on for nothing".
Thank you again ^^
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
Here’s what you’re going to do:

If you can note these items that MalwareBytes cannot remove, please send them to me.
Then, open MalwareBytes and go to the Quarantine tab and empty the quarantine.

Restart your computer, then post me a new HijackThis report.

Talk to you later!
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Here are the undeleted elements: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbe9d38d-7516-4fa7-9a02-95de70670797}

HKEY_CLASSES_ROOT\CLSID\{dbe9d38d-7516-4fa7-9a02-95de70670797}

HKEY_CLASSES_ROOT\CLSID\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\byxrllet

That's it for that.

I will therefore restart my PC, but in which mode? Safe mode again? Also, I do not have access to the "Quarantine" tab... So I need to restart my PC first, then go back to the quarantine tab, empty that folder, restart my PC again (which mode?) to make a new Hijackthis report, is that right??
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
In normal mode, you should have access to the MalwareBytes quarantine.

Also send me a Hijackthis report.

Cheers!
0
Answer 3 / 34
nico
 
report Hij :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31:13, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O9 - Extra 'Tools' menuitem: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7882 bytes

Here we go, so what can I do about the modified registry issue, especially since if I remember correctly, 2 others will appear after I allow this one.
thank you!
0
verni29 Posted messages 6805 Status Security Contributor 180
 
I'm analyzing all of this.
Response in half an hour.

See you!
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Good luck and thank you for your patience ;)
0
verni29 Posted messages 6805 Status Security Contributor 180 > verni29 Posted messages 6805 Status Security Contributor
 
The report is clean and shows no traces of infections.
It still needs to be cleaned.

1) For the keys to delete:
Open Notepad and copy the following text:

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbe9d38d-7516-4fa7-9a02-95de70670797}]
[-HKEY_CLASSES_ROOT\CLSID\{dbe9d38d-7516-4fa7-9a02-95de70670797}]
[-HKEY_CLASSES_ROOT\CLSID\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{684bfe7f-f5b2-4ab3-a95e-eb5036a2d286}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\byxrllet]

Save the file as fix.txt on your desktop.
Close Notepad and rename this file to fix.reg (right-click on the file --> rename).
After that, right-click again and merge.

2) Download OTMoveIt to your desktop.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe (by Old_Timer) on your Desktop.

Double-click OTMoveIt.exe to launch it.
Copy the list found in the quote below and paste it into the left frame of OTMoveIt under Paste List of Files/Folders to move.

C:\WINDOWS\system32\Iphc3rnj0ecfn.exe

Click on MoveIt! to start the deletion.
The result will appear in the "Results" frame.
Click on Exit to close.
Post the report located in C:\_OTMoveIt\MovedFiles.

3) We will proceed to clean the Hijackthis report.
To do this, close your browser.
Launch Hijackthis and choose "Do a system scan only".
Select the following lines:

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Quick Launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)

Choose the "Fixchecked" option at the bottom of the page.

And repost a HIjackthis report to me.

A+
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
"Close the notebook and rename this file to fix.reg (right-click on the file --> rename).
After that, go back, right-click and merge."
I have a fix.reg file on my desktop (it still looks like a txt file anyway), but when I right-click on it, I don't have the 'merge' option... Did I do something wrong?
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
He must indeed change the icon.
When you right-click, delete everything and rename it to fix.reg.

If that doesn't work, we'll check one thing (hidden file extensions).
0
Answer 4 / 34
nico
 
Okay, it's good, perfect, I can merge it now and add the information contained in the register!
0
verni29 Posted messages 6805 Status Security Contributor 180
 
Continue, send me both reports.
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Problem finally, when it asks me to confirm the merge, I click "yes". Then, an error message appears: "Unable to import C:\documents and Settings\Nicolas\Bureau\fix.reg: The specified file is not a registry script. You can only import binary registry files from the registry editor" ...
It's stuck :s
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
Sorry, I'm tired

At the top of the file, add this:

REGEDIT4

and then leave a line

See you!
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
What?! You made a mistake?! But that’s a shame! I'm just kidding of course! You don’t have to apologize with
everything you do for me, that would be the height of absurdity ^^
Anyway, the merger has been completed, I'm continuing with the program.
See you later!
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
:-)
0
Answer 5 / 34
GazzehWael Posted messages 78 Status Member 15
 
To kill the Win 32 virus, you need Kaspersky
it is the most secure antivirus, it is really the best
Well, it will solve your Win 32 problem
I use it and it is reliable, it is the easiest method against viruses.
0
verni29 Posted messages 6805 Status Security Contributor 180
 
Thanks for the info.
I was just thinking of asking him to do an online scan with Kaspersky. :-)
0
Answer 6 / 34
nico
 
moveit report!
File/Folder C:\WINDOWS\systeme32\Iphc3rnj0ecfn.exe not found.
OTmoveIt 2 by Oldimer - version 1.0.4.3 log created on 07102008_181601
this seems good to me, should I continue?
0
verni29 Posted messages 6805 Status Security Contributor 180
 
Yes, go ahead.
0
Answer 7 / 34
nico
 
HijackThis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:28, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Google Update Tool.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Wanadoo Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O9 - Extra 'Tools' menuitem: Wanadoo Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6873 bytes
0
verni29 Posted messages 6805 Status Security Contributor 180
 
While I take a look at the report and think about a thing or two I need to tell you (insufficient protections on your computer), you're going to run an online scan (last usual check)

Go to the Kaspersky site:
https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr

Start the Online Scanner (at the bottom right).

Post the report.

This may take some time.

Talk to you later.
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
I'm going to do it, but I always get the Spybot message asking whether to allow or deny the modification of an important registry element. This time it's for "C:\Program Files\rhc7rnj0ecfn\rhc7rnj0ecfn.exe"
I know another message will follow this one with a different element. What is it? What should I do?
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
No, definitely not,

I think we're going to have to go back to square one (those random names are a sign of an infection).
Before the online scan, here's what you're going to do.

You will download ComBoFix to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
We're going to run it once to look for infections.

Restart your computer in safe mode.

Launch Combofix.exe and follow the prompts.
Once the scan is finished, a report will appear.
Copy/paste that report into your next response.
If you can't find it, it's at C:\ComboFix.txt.

You can do it now or later.
Let me know when, please.
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
I'm on the internet, and I have multiple ad windows popping up; I've never seen anything like this :s:s:s what can I do to avoid them??
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
You exit through these windows and you run ComBofix (see previous message).
0
Answer 8 / 34
nico
 
I'll do it right away, our responses crossed each other...
0
Answer 9 / 34
nico
 
ComboFix 08-07-09.5 - Nicolas 2008-07-10 18:53:09.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1036.18.1794 [GMT 2:00]
Location: C:\Documents and Settings\Nicolas\Desktop\ComboFix.exe

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\wegtxqbq.ini
C:\WINDOWS\system32\xHiSYcfe.ini
C:\WINDOWS\system32\xHiSYcfe.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver

((((((((((((((((((((((((((((( Created files 2008-06-10 to 2008-07-10 ))))))))))))))))))))))))))))))))))))
.

2008-07-10 18:01 . 2008-07-10 18:01 <REP> d-------- C:\_OTMoveIt
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Documents and Settings\Nicolas\Application Data\Malwarebytes
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 14:31 . 2008-07-10 14:31 112,256 --a------ C:\WINDOWS\system32\zlacye.dll
2008-07-10 14:31 . 2008-07-10 14:31 112,256 --a------ C:\WINDOWS\system32\chhutcvr.dll
2008-07-10 14:31 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-10 14:31 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-10 04:41 . 2008-07-10 04:41 86 --a------ C:\WINDOWS\wininit.ini
2008-07-10 04:31 . 2008-07-10 04:31 <REP> d-------- C:\Program Files\Trend Micro
2008-07-10 03:41 . 2008-07-10 03:41 <REP> d-------- C:\Program Files\CCleaner
2008-07-10 03:32 . 2008-07-10 03:32 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 03:32 . 2008-07-10 04:08 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 03:20 . 2008-07-10 04:00 <REP> d-------- C:\Program Files\Registry Defender Platinum
2008-07-10 03:15 . 2008-07-10 03:15 112,256 --a------ C:\WINDOWS\system32\rsbfew.dll
2008-07-10 03:14 . 2008-07-10 03:15 112,256 --a------ C:\WINDOWS\system32\tnqyfeti.dll
2008-07-10 03:13 . 2008-07-10 03:14 318,208 --------- C:\WINDOWS\system32\efcYSiHx.dll
2008-07-10 02:08 . 2008-07-10 02:08 29,568 --------- C:\WINDOWS\system32\byXRlLEt.dll
2008-07-10 02:08 . 2006-03-02 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-08 11:19 . 2008-04-23 06:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-08 11:19 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-08 11:19 . 2007-03-08 07:10 1,048,576 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-08 11:19 . 2008-04-23 06:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-08 11:19 . 2008-04-23 06:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-08 11:19 . 2008-04-23 06:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-08 11:19 . 2008-04-23 06:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-08 11:19 . 2008-04-23 06:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-08 11:19 . 2008-04-22 09:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-08 11:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-08 11:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-08 11:14 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-08 01:41 . 2008-07-08 01:41 <REP> d-------- C:\Program Files\MSXML 4.0
2008-07-08 01:21 . 2008-06-14 19:59 272,768 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-08 01:21 . 2008-06-14 19:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-08 01:01 . 2008-07-08 01:01 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-07-08 00:57 . 2008-07-09 02:24 <REP> d-------- C:\WINDOWS\system32\fr-fr
2008-07-08 00:52 . 2008-07-09 16:30 <REP> d-------- C:\Program Files\eMule
2008-07-08 00:50 . 2008-07-08 00:51 14,771,744 --a------ C:\Program Files\IE7-WindowsXP-x86-fra.exe
2008-07-07 23:27 . 2008-07-07 23:27 <REP> d-------- C:\Program Files\Messenger Plus! Live
2008-07-07 23:26 . 2008-07-07 23:26 4,780,368 --a------ C:\Program Files\MsgPlusLive-460.exe
2008-07-07 23:14 . 2008-07-07 23:27 <REP> d-------- C:\Documents and Settings\Nicolas\Contacts
2008-07-07 23:00 . 2008-07-07 23:13 <REP> d-------- C:\Program Files\Windows Live
2008-07-07 23:00 . 2008-07-07 23:13 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 23:00 . 2008-07-07 23:00 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-07 22:54 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-07-07 22:54 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-07 22:54 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-07 22:54 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-07 22:54 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-07 22:52 . 2008-07-07 22:52 <REP> d--hs---- C:\Documents and Settings\Nicolas\UserData
2008-07-07 22:52 . 2008-07-07 22:52 2,402,832 --a------ C:\Program Files\WLinstaller.exe
2008-07-07 22:28 . 2004-10-13 16:12 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll
2008-07-07 22:24 . 2008-07-07 22:24 <REP> d-------- C:\Program Files\Wanadoo Messager
2008-07-07 22:24 . 2008-07-10 18:47 <REP> d-------- C:\Program Files\Wanadoo
2008-07-07 22:24 . 2008-07-07 22:24 <REP> d-------- C:\Program Files\Thomson
2008-07-07 22:24 . 2003-12-08 11:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2008-07-07 22:24 . 2003-12-08 11:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2008-07-07 22:24 . 2003-12-12 14:59 32,768 --a------ C:\WINDOWS\system32\ffJmpWeb.dll
2008-07-07 22:24 . 2003-12-08 11:53 5,606 --a------ C:\WINDOWS\system32\stci.dll
2008-07-07 22:24 . 2003-12-08 11:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2008-07-07 22:24 . 2003-12-08 11:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys

.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 16:49 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\OpenOffice.org2
2008-07-09 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-07 21:18 --------- d-----w C:\Program Files\Google
2008-07-07 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 20:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 18:03 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\U3
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 13:55 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-06-02 18:44 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Teleca
2008-06-01 22:34 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Apple Computer
2008-06-01 22:28 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Sony Ericsson
.

((((((((((((((((((((((((((((((((( Registry Load Points )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* The empty items & the legitimate initial items are not listed

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62a828f3-a84f-446b-8e80-00ba3081ba05}]
2008-07-10 14:31 112256 --a------ C:\WINDOWS\system32\zlacye.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}]
2008-07-10 02:08 29568 --------- C:\WINDOWS\system32\byXRlLEt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92FB130D-04A5-4FF9-9461-806D762EC666}]
2008-07-10 03:14 318208 --------- C:\WINDOWS\system32\efcYSiHx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-16 23:41 68856]
"Steam"="C:\Valve\Steam\Steam.exe" [2003-11-11 16:19 1081344]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 14:08 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-09-16 23:31 77824]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WooCnxMon"="C:\PROGRA~1\Wanadoo\CnxMon.exe" [2004-10-13 16:12 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2004-10-13 16:12 24576]
"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" [2004-10-13 16:12 49152]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}"= "C:\WINDOWS\system32\byXRlLEt.dll" [2008-07-10 02:08 29568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRlLEt]
2008-07-10 02:08 29568 C:\WINDOWS\system32\byXRlLEt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S3 pnicml;pnicml;C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b0bbc9c-204b-11dd-8310-001a4d483381}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

.
Contents of 'Scheduled Tasks'
"2008-06-05 10:27:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{CD23F372-AD0F-4037-97E6-35AA41124A0D} - (no file)
HKLM-Run-DaemonTools_WhenUSave_Installer - C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
HKLM-Run-lphc3rnj0ecfn - C:\WINDOWS\system32\lphc3rnj0ecfn.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 18:58:14
Windows 5.1.2600 Service Pack 2 NTFS

Scanning hidden processes ...

Scanning hidden autostart entries ...

Scanning hidden files ...

**************************************************************************
.
--------------------- DLLs loaded under current processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\byXRlLEt.dll
.
------------------------ Other Running Processes ------------------------

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-10 19:02:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 17:01:30

Pre-Run: 144,583,319,552 bytes free
Post-Run: 144,551,432,192 bytes free

195 --- E O F --- 2008-07-09 11:25:58
0
verni29 Posted messages 6805 Status Security Contributor 180
 
I need to analyze the report.
In the meantime, please keep your computer turned off.

See you later (9 PM).

We need to eat well.

See you!
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Ok, it works, I'll turn it off right away. I wanted to know, I read last night that this kind of virus attaches itself to the restore registry and that it’s better to uncheck system restore... but I didn’t do it because I was waiting to have someone "live" like you. However, ComboFix created a restore point, can the virus have attached itself to it then?
Enjoy your meal and have a good rest ^^
0
Answer 10 / 34
verni29 Posted messages 6805 Status Security Contributor 180
 
Post me a Hijackthis report, please.
I need it for the ComBofix report?

See you!
0
Answer 11 / 34
nico
 
new report, I hope it will be "beneficial" for you :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:31, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {50ab1803-ab00-08e8-b644-f48a3f828a26} - {62a828f3-a84f-446b-8e80-00ba3081ba05} - C:\WINDOWS\system32\zlacye.dll
O2 - BHO: (no name) - {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - C:\WINDOWS\system32\byXRlLEt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {92FB130D-04A5-4FF9-9461-806D762EC666} - C:\WINDOWS\system32\efcYSiHx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {CD23F372-AD0F-4037-97E6-35AA41124A0D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Wanadoo Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O9 - Extra 'Tools' menuitem: Wanadoo Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messager.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O20 - Winlogon Notify: byXRlLEt - C:\WINDOWS\SYSTEM32\byXRlLEt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6946 bytes
0
Answer 12 / 34
verni29 Posted messages 6805 Status Security Contributor 180
 
1) Close your browser.
Launch Hijackthis and choose "Do a system scan only".
Select the following lines:

O2 - BHO: {50ab1803-ab00-08e8-b644-f48a3f828a26} - {62a828f3-a84f-446b-8e80-00ba3081ba05} - C:\WINDOWS\system32\zlacye.dll
O2 - BHO: (no name) - {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - C:\WINDOWS\system32\byXRlLEt.dll
O2 - BHO: (no name) - {92FB130D-04A5-4FF9-9461-806D762EC666} - C:\WINDOWS\system32\efcYSiHx.dll
O2 - BHO: (no name) - {CD23F372-AD0F-4037-97E6-35AA41124A0D} - (no file)
O20 - Winlogon Notify: byXRlLEt - C:\WINDOWS\SYSTEM32\byXRlLEt.dll

Choose the "Fixchecked" option at the bottom of the page.

2) Open Notepad and select the following text.
Copy/paste this text into Notepad.
Save the file on the desktop and name it CFScript.txt.

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62a828f3-a84f-446b-8e80-00ba3081ba05}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92FB130D-04A5-4FF9-9461-806D762EC666}]
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRlLEt]

File::
C:\WINDOWS\system32\zlacye.dll
C:\WINDOWS\system32\chhutcvr.dll
C:\WINDOWS\system32\rsbfew.dll
C:\WINDOWS\system32\tnqyfeti.dll
C:\WINDOWS\system32\efcYSiHx.dll
C:\WINDOWS\system32\byXRlLEt.dll
C:\program files\IE7-WindowsXP-x86-fra.exe
C:\Program Files\MsgPlusLive-460.exe
C:\Program Files\WLinstaller.exe
C:\WINDOWS\system32\ffJmpWeb.dll
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys

Check that the Combofix icon is also on the desktop; if not, download combofix again and save it on the desktop as well.
Drag and drop the script onto ComBoFix. Follow the prompts.
Your desktop will disappear several times. That's normal.
Once the scan is complete, save the report and post it with a Hijackthis report.

A+
0
Answer 13 / 34
nico
 
So I don't do this in safe mode, if I understood correctly, okay. In the meantime, I sent you a link for the messages I receive from Spybot http://img170.imageshack.us/img170/2964/spybot1yy0.png see if it's important or not, I don't think it is, it's followed by a similar one for Daemon Tools and generally the famous Iphc... talk to you soon.
0
Answer 14 / 34
nico
 
I'm not sure if I managed to upload the file correctly :s:s, is it indicated in the execution window if it has been taken into account?
0
Answer 15 / 34
nico
 
Ok, I've started over and it worked well this time, he took it into account.
0
Answer 16 / 34
nico
 
ComboFix Report:

ComboFix 08-07-09.5 - Nicolas 2008-07-10 21:30:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1036.18.1648 [GMT 2:00]
Location: C:\Documents and Settings\Nicolas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nicolas\Desktop\CFScript.txt
* Creating a new restore point

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]

FILE ::
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys
C:\program files\IE7-WindowsXP-x86-fra.exe
C:\Program Files\MsgPlusLive-460.exe
C:\Program Files\WLinstaller.exe
C:\WINDOWS\system32\byXRlLEt.dll
C:\WINDOWS\system32\chhutcvr.dll
C:\WINDOWS\system32\efcYSiHx.dll
C:\WINDOWS\system32\ffJmpWeb.dll
C:\WINDOWS\system32\rsbfew.dll
C:\WINDOWS\system32\tnqyfeti.dll
C:\WINDOWS\system32\zlacye.dll
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\program files\IE7-WindowsXP-x86-fra.exe
C:\Program Files\MsgPlusLive-460.exe
C:\Program Files\WLinstaller.exe
C:\WINDOWS\system32\byXRlLEt.dll
C:\WINDOWS\system32\chhutcvr.dll
C:\WINDOWS\system32\ffJmpWeb.dll
C:\WINDOWS\system32\rsbfew.dll
C:\WINDOWS\system32\tnqyfeti.dll

.
((((((((((((((((((((((((((((( Files created 2008-06-10 to 2008-07-10 ))))))))))))))))))))))))))))))))))))
.

2008-07-10 18:01 . 2008-07-10 18:01 <REP> d-------- C:\_OTMoveIt
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Documents and Settings\Nicolas\Application Data\Malwarebytes
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 14:31 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-10 14:31 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-10 04:41 . 2008-07-10 04:41 86 --a------ C:\WINDOWS\wininit.ini
2008-07-10 04:31 . 2008-07-10 04:31 <REP> d-------- C:\Program Files\Trend Micro
2008-07-10 03:41 . 2008-07-10 03:41 <REP> d-------- C:\Program Files\CCleaner
2008-07-10 03:32 . 2008-07-10 03:32 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 03:32 . 2008-07-10 04:08 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 03:20 . 2008-07-10 04:00 <REP> d-------- C:\Program Files\Registry Defender Platinum
2008-07-10 02:08 . 2006-03-02 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-08 11:19 . 2008-04-23 06:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-08 11:19 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-08 11:19 . 2007-03-08 07:10 1,048,576 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-08 11:19 . 2008-04-23 06:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-08 11:19 . 2008-04-23 06:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-08 11:19 . 2008-04-23 06:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-08 11:19 . 2008-04-23 06:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-08 11:19 . 2008-04-23 06:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-08 11:19 . 2008-04-22 09:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-08 11:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-08 11:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-08 11:14 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-08 01:41 . 2008-07-08 01:41 <REP> d-------- C:\Program Files\MSXML 4.0
2008-07-08 01:21 . 2008-06-14 19:59 272,768 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-08 01:21 . 2008-06-14 19:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-08 01:01 . 2008-07-08 01:01 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-07-08 00:57 . 2008-07-09 02:24 <REP> d-------- C:\WINDOWS\system32\fr-fr
2008-07-08 00:52 . 2008-07-09 16:30 <REP> d-------- C:\Program Files\eMule
2008-07-07 23:27 . 2008-07-07 23:27 <REP> d-------- C:\Program Files\Messenger Plus! Live
2008-07-07 23:14 . 2008-07-07 23:27 <REP> d-------- C:\Documents and Settings\Nicolas\Contacts
2008-07-07 23:00 . 2008-07-07 23:13 <REP> d-------- C:\Program Files\Windows Live
2008-07-07 23:00 . 2008-07-07 23:13 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 23:00 . 2008-07-07 23:00 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-07 22:54 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-07-07 22:54 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-07 22:54 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-07 22:54 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-07 22:54 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-07 22:52 . 2008-07-07 22:52 <REP> d--hs---- C:\Documents and Settings\Nicolas\UserData
2008-07-07 22:28 . 2004-10-13 16:12 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll
2008-07-07 22:24 . 2008-07-07 22:24 <REP> d-------- C:\Program Files\Wanadoo Messenger
2008-07-07 22:24 . 2008-07-10 21:04 <REP> d-------- C:\Program Files\Wanadoo
2008-07-07 22:24 . 2008-07-07 22:24 <REP> d-------- C:\Program Files\Thomson
2008-07-07 22:24 . 2003-12-08 11:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2008-07-07 22:24 . 2003-12-08 11:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2008-07-07 22:24 . 2003-12-08 11:53 5,606 --a------ C:\WINDOWS\system32\stci.dll
2008-07-07 22:24 . 2003-12-08 11:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2008-07-07 22:24 . 2003-12-08 11:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys

.
(((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 16:49 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\OpenOffice.org2
2008-07-09 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-07 21:18 --------- d-----w C:\Program Files\Google
2008-07-07 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 20:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 18:03 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\U3
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 13:55 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-06-02 18:44 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Teleca
2008-06-01 22:34 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Apple Computer
2008-06-01 22:28 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Sony Ericsson
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_19.01.13.95 )))))))))))))))))))))))))))))))))))))))))

- 2008-07-10 16:57:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 19:32:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 19:32:40 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_540.dat
.
((((((((((((((((((((((((((((((((( Registry Load Point )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty items & legitimate initial items are not listed

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-16 23:41 68856]
"Steam"="C:\Valve\Steam\Steam.exe" [2003-11-11 16:19 1081344]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 14:08 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-09-16 23:31 77824]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WooCnxMon"="C:\PROGRA~1\Wanadoo\CnxMon.exe" [2004-10-13 16:12 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2004-10-13 16:12 24576]
"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" [2004-10-13 16:12 49152]
"DaemonTools_WhenUSave_Installer"="C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S3 pnicml;pnicml;C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b0bbc9c-204b-11dd-8310-001a4d483381}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 10:27:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{62a828f3-a84f-446b-8e80-00ba3081ba05} - (no file)
BHO-{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - (no file)
BHO-{CD23F372-AD0F-4037-97E6-35AA41124A0D} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 21:32:53
Windows 5.1.2600 Service Pack 2 NTFS

Scanning for hidden processes ...

Scanning hidden autostart entries ...

Scanning for hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Duration: 2008-07-10 21:36:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 19:35:47
ComboFix2.txt 2008-07-10 19:27:20
ComboFix3.txt 2008-07-10 17:02:36

Pre-Run: 144,528,109,568 bytes free
Post-Run: 144,499,118,080 bytes free

186 --- E O F --- 2008-07-09 11:25:58

Hijackthis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:31, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {50ab1803-ab00-08e8-b644-f48a3f828a26} - {62a828f3-a84f-446b-8e80-00ba3081ba05} - C:\WINDOWS\system32\zlacye.dll
O2 - BHO: (no name) - {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - C:\WINDOWS\system32\byXRlLEt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {92FB130D-04A5-4FF9-9461-806D762EC666} - C:\WINDOWS\system32\efcYSiHx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {CD23F372-AD0F-4037-97E6-35AA41124A0D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Wanadoo Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messenger.exe
O9 - Extra 'Tools' menuitem: Wanadoo Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messenger.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O20 - Winlogon Notify: byXRlLEt - C:\WINDOWS\SYSTEM32\byXRlLEt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner -
0
verni29 Posted messages 6805 Status Security Contributor 180
 
Have you cleaned the Hijackthis report?
It needed to be done before combofix.

Look at the previous message and redo the comboFix cleanup.
Send me a new Hijackthis report.

See you!
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Arf, we keep running into each other!! By the time I repost the correct reports (I think), you, faster than lightning, had already replied to me... see message 48, everything should be in order, I await your feedback ;)
0
Answer 17 / 34
nico
 
MESSAGE PRECEDENT A NE PAS PRENDRE EN COMPTE DSL (trompé dans les fichiers, y en a tellement maintenant ! dsl )

report combofix

ComboFix 08-07-09.5 - Nicolas 2008-07-10 21:30:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1036.18.1648 [GMT 2:00]
Location: C:\Documents and Settings\Nicolas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nicolas\Desktop\CFScript.txt
* Creating a new restore point

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]

FILE ::
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys
C:\program files\IE7-WindowsXP-x86-fra.exe
C:\Program Files\MsgPlusLive-460.exe
C:\Program Files\WLinstaller.exe
C:\WINDOWS\system32\byXRlLEt.dll
C:\WINDOWS\system32\chhutcvr.dll
C:\WINDOWS\system32\efcYSiHx.dll
C:\WINDOWS\system32\ffJmpWeb.dll
C:\WINDOWS\system32\rsbfew.dll
C:\WINDOWS\system32\tnqyfeti.dll
C:\WINDOWS\system32\zlacye.dll
.

(((((((((((((((((((((((((((((((((((( Other removals ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\program files\IE7-WindowsXP-x86-fra.exe
C:\Program Files\MsgPlusLive-460.exe
C:\Program Files\WLinstaller.exe
C:\WINDOWS\system32\byXRlLEt.dll
C:\WINDOWS\system32\chhutcvr.dll
C:\WINDOWS\system32\ffJmpWeb.dll
C:\WINDOWS\system32\rsbfew.dll
C:\WINDOWS\system32\tnqyfeti.dll

.
((((((((((((((((((((((((((((( Files created 2008-06-10 to 2008-07-10 ))))))))))))))))))))))))))))))))))))
.

2008-07-10 18:01 . 2008-07-10 18:01 <REP> d-------- C:\_OTMoveIt
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Documents and Settings\Nicolas\Application Data\Malwarebytes
2008-07-10 14:31 . 2008-07-10 14:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 14:31 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-10 14:31 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-10 04:41 . 2008-07-10 04:41 86 --a------ C:\WINDOWS\wininit.ini
2008-07-10 04:31 . 2008-07-10 04:31 <REP> d-------- C:\Program Files\Trend Micro
2008-07-10 03:41 . 2008-07-10 03:41 <REP> d-------- C:\Program Files\CCleaner
2008-07-10 03:32 . 2008-07-10 03:32 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 03:32 . 2008-07-10 04:08 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 03:20 . 2008-07-10 04:00 <REP> d-------- C:\Program Files\Registry Defender Platinum
2008-07-10 02:08 . 2006-03-02 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-08 11:19 . 2008-04-23 06:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-08 11:19 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-08 11:19 . 2007-03-08 07:10 1,048,576 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-08 11:19 . 2008-04-23 06:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-08 11:19 . 2008-04-23 06:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-08 11:19 . 2008-04-23 06:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-08 11:19 . 2008-04-23 06:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-08 11:19 . 2008-04-23 06:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-08 11:19 . 2008-04-22 09:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-08 11:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-08 11:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-08 11:14 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-08 01:41 . 2008-07-08 01:41 <REP> d-------- C:\Program Files\MSXML 4.0
2008-07-08 01:21 . 2008-06-14 19:59 272,768 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-08 01:21 . 2008-06-14 19:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-08 01:01 . 2008-07-08 01:01 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-07-08 00:57 . 2008-07-09 02:24 <REP> d-------- C:\WINDOWS\system32\fr-fr
2008-07-08 00:52 . 2008-07-09 16:30 <REP> d-------- C:\Program Files\eMule
2008-07-07 23:27 . 2008-07-07 23:27 <REP> d-------- C:\Program Files\Messenger Plus! Live
2008-07-07 23:14 . 2008-07-07 23:27 <REP> d-------- C:\Documents and Settings\Nicolas\Contacts
2008-07-07 23:00 . 2008-07-07 23:13 <REP> d-------- C:\Program Files\Windows Live
2008-07-07 23:00 . 2008-07-07 23:13 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 23:00 . 2008-07-07 23:00 <REP> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-07 22:54 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-07-07 22:54 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-07 22:54 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-07 22:54 . 2007-07-30 19:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-07 22:54 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-07 22:52 . 2008-07-07 22:52 <REP> d--hs---- C:\Documents and Settings\Nicolas\UserData
2008-07-07 22:28 . 2004-10-13 16:12 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll
2008-07-07 22:24 . 2008-07-07 22:24 <REP> d-------- C:\Program Files\Wanadoo Messager
2008-07-07 22:24 . 2008-07-10 21:04 <REP> d-------- C:\Program Files\Wanadoo
2008-07-07 22:24 . 2008-07-07 22:24 <REP> d-------- C:\Program Files\Thomson
2008-07-07 22:24 . 2003-12-08 11:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2008-07-07 22:24 . 2003-12-08 11:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2008-07-07 22:24 . 2003-12-08 11:53 5,606 --a------ C:\WINDOWS\system32\stci.dll
2008-07-07 22:24 . 2003-12-08 11:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2008-07-07 22:24 . 2003-12-08 11:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys

.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 16:49 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\OpenOffice.org2
2008-07-09 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-07 21:18 --------- d-----w C:\Program Files\Google
2008-07-07 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 20:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 18:03 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\U3
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 13:55 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-06-02 18:44 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Teleca
2008-06-01 22:34 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Apple Computer
2008-06-01 22:28 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Sony Ericsson
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_19.01.13.95 )))))))))))))))))))))))))))))))))))))))))

- 2008-07-10 16:57:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 19:32:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 19:32:40 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_540.dat
.
((((((((((((((((((((((((((((((((( Registry loading point )))))))))))))))))))))))))))))))))))))))))))))))))

.
REGEDIT4
*Note* empty items & legitimate initial items are not listed

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-16 23:41 68856]
"Steam"="C:\Valve\Steam\Steam.exe" [2003-11-11 16:19 1081344]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 14:08 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-09-16 23:31 77824]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WooCnxMon"="C:\PROGRA~1\Wanadoo\CnxMon.exe" [2004-10-13 16:12 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2004-10-13 16:12 24576]
"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" [2004-10-13 16:12 49152]
"DaemonTools_WhenUSave_Installer"="C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S3 pnicml;pnicml;C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b0bbc9c-204b-11dd-8310-001a4d483381}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

.
Content of the 'Scheduled Tasks' folder
"2008-06-05 10:27:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

- - - - ORPHANS REMOVED - - - -

BHO-{62a828f3-a84f-446b-8e80-00ba3081ba05} - (no file)
BHO-{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - (no file)
BHO-{CD23F372-AD0F-4037-97E6-35AA41124A0D} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 21:32:53
Windows 5.1.2600 Service Pack 2 NTFS

Scanning hidden processes ...

Scanning hidden autostart entries ...

Scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-10 21:36:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 19:35:47
ComboFix2.txt 2008-07-10 19:27:20
ComboFix3.txt 2008-07-10 17:02:36

Pre-Run: 144,528,109,568 bytes free
Post-Run: 144,499,118,080 bytes free

186 --- E O F --- 2008-07-09 11:25:58

Good report HIJ

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:38:21, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Wanadoo Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messenger.exe
O9 - Extra 'Tools' menuitem: Wanadoo Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~1\Wanadoo Messenger.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
0
verni29 Posted messages 6805 Status Security Contributor 180
 
I looked into Spybot.
Normally, it's the real-time protection module that's working (the tea timer --> a nice cup of tea would be nice :-) )
It's up to you to accept or not when you get these kinds of messages.
You have the option to create a rule, meaning that the next alert won't notify you.

You understand how it works.

The Hijackthis report is clean.
I have a question about Daemon Tools.

However, there are still infected files. ComBofix hasn't finished the job.

I'm starting to get tired (3 other infections similar to yours) and I’m going to stop here for today.

I suggest we meet tomorrow evening or this weekend.
What do you think?
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
I fully understand the workload that this represents... Personally, I will be available whenever you see fit, so if it has to be tomorrow evening, then it will be tomorrow evening ^^
One last question for Combofix: why didn't it finish the job? Do you have one last action for me to take or should I turn off the PC and not touch it again until further notice?
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
Yes, we'll see each other Saturday morning.

Run CCleaner to clear temporary files.
Reason:
C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys

Disable system restore points as well.

Anyway, avoid using the computer until Saturday.

See you Saturday.
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Alright for Saturday, thanks for everything, have a good Friday, take care ;)
see you later
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Just one last thing, how do I disable the restore points? Thanks, see you later!
0
Answer 18 / 34
nico
 
I should be available around 9 AM, just to let you know, so you don't wait for nothing. See you later
PS: I haven't touched the computer, it will be a surprise later ^^
0
Answer 19 / 34
verni29 Posted messages 6805 Status Security Contributor 180
 
Hello, Nico

We're going to run two tools to perform a check-up on your PC.

1) Download DiagHelp to your desktop
http://www.malekal.com/download/DiagHelp.zip

Right-click on the file and extract all
- A folder named DiagHelp will be created
- Open it and double-click on go.cmd
- Choose option 1
- The analysis will start, this may take a few minutes, follow the prompts.
Important: after the catchme report, you will be asked to press a key to continue the scan.
Follow the prompts. A report will appear. This can be found at C:\resultat.txt
Copy/paste the content of the report into your next message.

2) Download Sreng (System Repair Engineer)
http://www.kztechs.com/eng/download.html

Extract all its contents to your Desktop
In the created folder, double-click on SREnLdr.exe.
Click on Smart Scan and then on Scan

When completed, click on the Save Reports button
Save the report to your Desktop
Copy/paste the content of SREnglLOG.log into your next response, please.

See you!
0
Answer 20 / 34
nico
 
Hello, here are the 2 reports:
- the one from DiagHelp:

DiagHelp version v1.4 - http://www.malekal.com
executed on 12/07/2008 at 9:54:29.87

List of the latest files modified/created in windir\system32 and prefetch
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->12/07/2008 09:54:29
C:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->12/07/2008 09:54:24
C:\WINDOWS\prefetch\GOOGLEUPDATER.EXE-2CAF5929.pf -->12/07/2008 09:54:18
C:\WINDOWS\prefetch\WINRAR.EXE-39C6DAD9.pf -->12/07/2008 09:53:16
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf -->12/07/2008 09:52:34
C:\WINDOWS\prefetch\RUNDLL32.EXE-451FC2C0.pf -->12/07/2008 09:52:13
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf -->12/07/2008 09:44:42
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf -->12/07/2008 09:44:42
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf -->12/07/2008 09:44:42
C:\WINDOWS\prefetch\CONTROL.EXE-013DBFB5.pf -->10/07/2008 22:53:08

C:\WINDOWS\System32\drivers\mbamcatchme.sys -->07/07/2008 17:35:36
C:\WINDOWS\System32\drivers\mbam.sys -->07/07/2008 17:35:30
C:\WINDOWS\System32\drivers\tcpip.sys -->20/06/2008 12:45:13
C:\WINDOWS\System32\drivers\afd.sys -->20/06/2008 12:44:38
C:\WINDOWS\System32\drivers\tcpip6.sys -->20/06/2008 11:52:06
C:\WINDOWS\System32\drivers\bthport.sys -->14/06/2008 19:59:52
C:\WINDOWS\System32\drivers\aswSP.sys -->16/05/2008 01:20:32

C:\WINDOWS\System32\wpa.dbl -->12/07/2008 09:43:14
C:\WINDOWS\System32\67d5e971-.txt -->10/07/2008 18:39:41
C:\WINDOWS\System32\PerfStringBackup.INI -->08/07/2008 11:14:18
C:\WINDOWS\System32\perfh00C.dat -->08/07/2008 11:14:18
C:\WINDOWS\System32\perfh009.dat -->08/07/2008 11:14:18
C:\WINDOWS\System32\perfc00C.dat -->08/07/2008 11:14:18
C:\WINDOWS\System32\perfc009.dat -->08/07/2008 11:14:18
C:\WINDOWS\System32\FNTCACHE.DAT -->08/07/2008 02:48:56
C:\WINDOWS\System32\TZLog.log -->08/07/2008 01:44:19
C:\WINDOWS\System32\CONFIG.NT -->07/07/2008 22:36:32
C:\WINDOWS\System32\CmdLineExt03.dll -->06/07/2008 00:50:22
C:\WINDOWS\System32\MRT.exe -->25/06/2008 18:15:46
C:\WINDOWS\System32\mswsock.dll -->20/06/2008 19:41:06
C:\WINDOWS\System32\dnsapi.dll -->20/06/2008 19:41:06
C:\WINDOWS\System32\aswBoot.exe -->16/05/2008 01:24:43
C:\WINDOWS\System32\AvastSS.scr -->16/05/2008 01:12:36
C:\WINDOWS\System32\quartz.dll -->07/05/2008 07:15:36
C:\WINDOWS\System32\mshtml.dll -->23/04/2008 22:16:42
C:\WINDOWS\System32\wininet.dll -->23/04/2008 06:16:40
C:\WINDOWS\System32\webcheck.dll -->23/04/2008 06:16:40
C:\WINDOWS\System32\urlmon.dll -->23/04/2008 06:16:40
C:\WINDOWS\System32\url.dll -->23/04/2008 06:16:40
C:\WINDOWS\System32\pngfilt.dll -->23/04/2008 06:16:40
C:\WINDOWS\System32\occache.dll -->23/04/2008 06:16:40
C:\WINDOWS\System32\mstime.dll -->23/04/2008 06:16:40

C:\WINDOWS\0.log -->12/07/2008 09:43:18
C:\WINDOWS\WindowsUpdate.log -->12/07/2008 09:43:17
C:\WINDOWS\bootstat.dat -->12/07/2008 09:43:12
C:\WINDOWS\SchedLgU.Txt -->10/07/2008 22:53:34
C:\WINDOWS\system.ini -->10/07/2008 21:32:51
C:\WINDOWS\wininit.ini -->10/07/2008 04:41:39
C:\WINDOWS\NeroDigital.ini -->10/07/2008 01:31:45
C:\WINDOWS\QTFont.qfn -->09/07/2008 14:55:19
C:\WINDOWS\win.ini -->07/02/2008 19:39:15
C:\WINDOWS\BricoPackUninst.txt -->17/09/2007 00:13:06
C:\WINDOWS\BricoPackUninst.cmd -->17/09/2007 00:13:06
C:\WINDOWS\BricoPackFoldersDelete.cmd -->17/09/2007 00:13:06
C:\WINDOWS\BricoPack Wallpaper.bmp -->17/09/2007 00:12:56
C:\WINDOWS\QTFont.for -->16/09/2007 23:23:41
C:\WINDOWS\HideWin.exe -->11/09/2007 16:00:43

winlogon.exe
Verified: Signed
svchost.exe
Verified: Signed
ws2_32.dll
Verified: Signed
user32.dll
Verified: Signed
tcpip.sys
Verified: Signed
ndis.sys
Verified: Signed
null.sys
Verified: Signed

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
explorer.exe pid: 1748
Command line: C:\WINDOWS\Explorer.EXE

Base Size Version Path
0x44080000 0xd0000 7.00.6000.16674 C:\WINDOWS\system32\WININET.dll
0x00400000 0x9000 6.00.5441.0000 C:\WINDOWS\system32\Normaliz.dll
0x43e00000 0x45000 7.00.6000.16674 C:\WINDOWS\system32\iertutil.dll
0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL
0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll
0x4c5a0000 0x18000 9.00.0000.3250 C:\PROGRA~1\WINDOW~2\wmpband.dll
0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
0x7d200000 0x2be000 3.01.4000.4039 C:\WINDOWS\system32\msi.dll
0x44360000 0x5cd000 7.00.6000.16674 C:\WINDOWS\system32\ieframe.dll
0x44160000 0x127000 7.00.6000.16674 C:\WINDOWS\system32\urlmon.dll
0x442b0000 0x3c000 7.00.6000.16674 C:\WINDOWS\system32\webcheck.dll
0x02150000 0x187000 1.06.0000.0012 C:\PROGRA~1\SPYBOT~1\SDHelper.dll
0x43ff0000 0xa000 7.00.6000.16674 C:\WINDOWS\system32\jsproxy.dll
0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll
0x015d0000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll
0x61c20000 0x54000 8.00.0000.9118 C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll
0x5fc70000 0x18000 8.00.0000.9107 C:\Program Files\OpenOffice.org 2.2\program\uwinapi.dll
0x7c340000 0x56000 7.10.3052.0004 C:\Program Files\OpenOffice.org 2.2\program\MSVCR71.dll
0x61740000 0x8e000 4.05.2003.0120 C:\Program Files\OpenOffice.org 2.2\program\stlport_vc7145.dll
0x7c3a0000 0x7b000 7.10.3077.0000 C:\Program Files\OpenOffice.org 2.2\program\MSVCP71.dll
0x10000000 0x1c000 7.00.0000.0000 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
0x00ed0000 0x2d000 C:\Program Files\WinRAR\rarext.dll
0x00e10000 0x8000 1.00.0000.0000 C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
0x64f00000 0x12000 4.08.1201.0000 C:\Program Files\Alwil Software\Avast4\ashShell.dll
0x03350000 0x836000 6.14.0011.6218 C:\WINDOWS\system32\nvcpl.dll
0x74bf0000 0x2c000 4.02.5406.0000 C:\WINDOWS\system32\OLEACC.dll
0x76010000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x03b90000 0x45000 6.14.0011.6218 C:\WINDOWS\system32\NVRSFR.DLL
0x03be0000 0x5a000 6.14.0011.6218 C:\WINDOWS\system32\nvapi.dll
0x03c40000 0x73000 6.14.0010.12002 C:\WINDOWS\system32\nvshell.dll
0x60980000 0x7000 3.01.4000.1823 C:\WINDOWS\system32\MSISIP.DLL
0x74e10000 0x10000 5.06.0000.8820 C:\WINDOWS\system32\wshext.dll
0x73d20000 0xfe000 6.02.4131.0000 C:\WINDOWS\system32\MFC42.DLL
0x61d70000 0xe000 6.00.8665.0000 C:\WINDOWS\system32\MFC42LOC.DLL
0x59000000 0xe000 5.06.0000.6626 C:\WINDOWS\system32\wshFR.DLL

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
winlogon.exe pid: 756
Command line: winlogon.exe

Base Size Version Path
0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe
0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\COMCTL32.dll
0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll
0x20000000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll
0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll
0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL

The volume in drive C has no label.
The volume serial number is 6CF6-2DA0

Directory of C:\WINDOWS\system32

02/03/2006 14:00 6,144 csrss.exe
1 file(s) 6,144 bytes
0 Dir(s) 145,096,974,336 bytes free

Contents of Downloaded Program Files
The volume in drive C has no label.
The volume serial number is 6CF6-2DA0

Directory of C:\WINDOWS\Downloaded Program Files

07/07/2008 23:17 <DIR> .
07/07/2008 23:17 <DIR> ..
11/09/2007 15:48 65 desktop.ini
24/03/2008 19:33 1,527,056 FP_AX_CAB_INSTALLER.exe
24/03/2008 19:18 247 swflash.inf
30/07/2007 19:24 293 wuweb.inf
4 file(s) 1,527,661 bytes

Total listed files:
4 file(s) 1,527,661 bytes
2 Dir(s) 145,096,974,336 bytes free

Searching for rootkits! (Thank you S!Ri)

Searching for known infections

Export of sensitive keys..

List of exceptions on the XP SP2 firewall

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\Valve\\Condition Zero\\czero.exe"="C:\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Export of the SharedTaskScheduler key

[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui Preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Category Cache Demon"

exports of policies
REGEDIT4

[system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableRegistryTools"=dword:00000000
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000
"HideStartupScripts"=dword:00000000

Export of sensitive keys..
Search for sensitive addresses in the HOSTS file...
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 09:54:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:4fc02f53
"s2"=dword:9f0a7575
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:de,79,dc,58,ce,b5,c3,98,63,44,e0,cb,09,e6,13,44,7b,3f,28,e4,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,fd,2a,af,03,1a,53,b3,75,c5,ac,c3,08,ab,d4,5b,45,03,..
"khjeh"=hex:ae,01,5e,0b,c3,ee,f8,b5,5f,26,36,02,af,ae,22,49,e7,b8,cc,b6,a3,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:54,af,84,2e,29,36,52,b1,7c,4e,a8,d1,27,e9,ee,2f,ff,fd,09,e7,e3,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:29,32,2e,5d,e1,30,08,82,7e,23,bf,c5,04,7d,f9,6d,53,1b,c1,92,9b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:97,07,10,c2,0c,28,1b,d2,ca,1f,cd,2c,85,02,e4,21,0e,bb,5a,74,4e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:de,79,dc,58,ce,b5,c3,98,63,44,e0,cb,09,e6,13,44,7b,3f,28,e4,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,fd,2a,af,03,1a,53,b3,75,c5,ac,c3,08,ab,d4,5b,45,03,..
"khjeh"=hex:ae,01,5e,0b,c3,ee,f8,b5,5f,26,36,02,af,ae,22,49,e7,b8,cc,b6,a3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:54,af,84,2e,29,36,52,b1,7c,4e,a8,d1,27,e9,ee,2f,ff,fd,09,e7,e3,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:29,32,2e,5d,e1,30,08,82,7e,23,bf,c5,04,7d,f9,6d,53,1b,c1,92,9b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:97,07,10,c2,0c,28,1b,d2,ca,1f,cd,2c,85,02,e4,21,0e,bb,5a,74,4e,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden services: 0
hidden files: 0

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Process list by traversal of KiWaitListHead

4 - System
224 - ashMaiSv.exe
416 - ashWebSv.exe
624 - alg.exe
732 - csrss.exe
756 - winlogon.exe
800 - services.exe
812 - lsass.exe
968 - svchost.exe
1016 - svchost.exe
1056 - svchost.exe
1136 - svchost.exe
1172 - svchost.exe
1344 - ashServ.exe
1736 - AppleMobileDevi
1748 - explorer.exe
1764 - GoogleUpdaterSe
1800 - nvsvc32.exe
2144 - RTHDCPL.exe
2228 - CnxMon.exe
2240 - dragdiag.exe
2256 - TaskBarIcon.exe
2268 - ctfmon.exe
2276 - GoogleToolbarNo
2304 - msnmsgr.exe
2312 - TeaTimer.exe
3052 - cmd.exe

Total number of processes = 27
NOTE: Under WinXP, this will not show all processes.

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Driver/Module list by traversal of PsLoadedModuleList

804D7000 - \WINDOWS\system32\ntkrnlpa.exe
806E2000 - \WINDOWS\system32\hal.dll
BADA8000 - \WINDOWS\system32\KDCOM.DLL
BACB8000 - \WINDOWS\system32\BOOTVID.dll
BA6D0000 - sptd.sys
BADAA000 - \WINDOWS\System32\Drivers\WMILIB.SYS
BA6B8000 - \WINDOWS\System32\Drivers\SCSIPORT.SYS
BA689000 - ACPI.sys
BA678000 - pci.sys
BA8A8000 - isapnp.sys
BAE70000 - pciide.sys
BAB28000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
BA8B8000 - MountMgr.sys
BA659000 - ftdisk.sys
BAB30000 - PartMgr.sys
BA8C8000 - VolSnap.sys
BA641000 - atapi.sys
BA8D8000 - jraid.sys
BA8E8000 - disk.sys
BA8F8000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
BA621000 - fltMgr.sys
BA60A000 - KSecDD.sys
BA57D000 - Ntfs.sys
BA550000 - NDIS.sys
BA535000 - Mup.sys
BADAC000 - JGOGO.sys
BAA28000 - \SystemRoot\system32\DRIVERS\intelppm.sys
B9ACB000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys
B9AB7000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
BABC0000 - \SystemRoot\system32\DRIVERS\usbuhci.sys
B9A94000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS
BABC8000 - \SystemRoot\system32\DRIVERS\usbehci.sys
B9A6F000 - \SystemRoot\system32\DRIVERS\HDAudBus.sys
B9A58000 - \SystemRoot\system32\DRIVERS\Rtenicxp.sys
BABD0000 - \SystemRoot\system32\DRIVERS\fdc.sys
B9A47000 - \SystemRoot\system32\DRIVERS\serial.sys
BAD9C000 - \SystemRoot\system32\DRIVERS\serenum.sys
B9A33000 - \SystemRoot\system32\DRIVERS\parport.sys
BAA38000 - \SystemRoot\system32\DRIVERS\i8042prt.sys
BABD8000 - \SystemRoot\system32\DRIVERS\mouclass.sys
BABE0000 - \SystemRoot\system32\DRIVERS\kbdclass.sys
BAA48000 - \SystemRoot\system32\DRIVERS\imapi.sys
BAA58000 - \SystemRoot\system32\DRIVERS\cdrom.sys
BAA68000 - \SystemRoot\system32\DRIVERS\redbook.sys
B9A10000 - \SystemRoot\system32\DRIVERS\ks.sys
B99C6000 - \SystemRoot\System32\Drivers\acn8ehko.SYS
BAFF5000 - \SystemRoot\system32\DRIVERS\audstub.sys
BAA78000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys
BA4F5000 - \SystemRoot\system32\DRIVERS\ndistapi.sys
B9991000 - \SystemRoot\system32\DRIVERS\ndiswan.sys
BAA88000 - \SystemRoot\system32\DRIVERS\raspppoe.sys
BAA98000 - \SystemRoot\system32\DRIVERS\raspptp.sys
BAC30000 - \SystemRoot\system32\DRIVERS\TDI.SYS
B9980000 - \SystemRoot\system32\DRIVERS\psched.sys
BAAA8000 - \SystemRoot\system32\DRIVERS\msgpc.sys
BAC38000 - \SystemRoot\system32\DRIVERS\ptilink.sys
BAC40000 - \SystemRoot\system32\DRIVERS\raspti.sys
BAAD8000 - \SystemRoot\system32\DRIVERS\termdd.sys
BADC2000 - \SystemRoot\system32\DRIVERS\swenum.sys
B9927000 - \SystemRoot\system32\DRIVERS\update.sys
BA4E9000 - \SystemRoot\system32\DRIVERS\mssmbios.sys
BAAF8000 - \SystemRoot\System32\Drivers\NDProxy.SYS
BAB18000 - \SystemRoot\system32\DRIVERS\usbhub.sys
BADC4000 - \SystemRoot\system32\DRIVERS\USBD.SYS
B6309000 - \SystemRoot\system32\drivers\RtkHDAud.sys
B62E7000 - \SystemRoot\system32\drivers\portcls.sys
BA928000 - \SystemRoot\system32\drivers\drmk.sys
BAC70000 - \SystemRoot\system32\DRIVERS\flpydisk.sys
BADF0000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS
BAF1D000 - \SystemRoot\System32\Drivers\Null.SYS
BADF2000 - \SystemRoot\System32\Drivers\Beep.SYS
BAC88000 - \SystemRoot\System32\drivers\vga.sys
BADF4000 - \SystemRoot\System32\Drivers\mnmdd.SYS
BADF6000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys
BAC90000 - \SystemRoot\System32\Drivers\Msfs.SYS
BAC98000 - \SystemRoot\System32\Drivers\Npfs.SYS
B6773000 - \SystemRoot\system32\DRIVERS\rasacd.sys
B6264000 - \SystemRoot\system32\DRIVERS\ipsec.sys
B620C000 - \SystemRoot\system32\DRIVERS\tcpip.sys
BA998000 - \SystemRoot\System32\Drivers\aswTdi.SYS
B61EB000 - \SystemRoot\system32\DRIVERS\ipnat.sys
B61C3000 - \SystemRoot\system32\DRIVERS\netbt.sys
BA9A8000 - \SystemRoot\system32\DRIVERS\wanarp.sys
B61A1000 - \SystemRoot\System32\drivers\afd.sys
BA9B8000 - \SystemRoot\system32\DRIVERS\netbios.sys
B6176000 - \SystemRoot\system32\DRIVERS\rdbss.sys
B6107000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
BA9C8000 - \SystemRoot\System32\Drivers\Fips.SYS
B60F0000 - \SystemRoot\System32\Drivers\aswSP.SYS
BACA8000 - \SystemRoot\System32\Drivers\Aavmker4.SYS
BA9E8000 - \SystemRoot\System32\Drivers\Cdfs.SYS
BA9F8000 - \SystemRoot\system32\DRIVERS\alcaudsl.sys
BAE00000 - \SystemRoot\system32\DRIVERS\alcawh.sys
BAF65000 - \SystemRoot\system32\DRIVERS\alcacr.sys
BAB40000 - \SystemRoot\system32\DRIVERS\usbccgp.sys
BAA08000 - \SystemRoot\system32\DRIVERS\alcan5wn.sys
BAA18000 - \SystemRoot\system32\drivers\usbaudio.sys
BABA0000 - \SystemRoot\system32\DRIVERS\USBSTOR.SYS
B6010000 - \SystemRoot\System32\Drivers\dump_atapi.sys
BAE34000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000 - \SystemRoot\System32\win32k.sys
BA505000 - \SystemRoot\System32\drivers\Dxapi.sys
BABA8000 - \SystemRoot\System32\watchdog.sys
BF9C3000 - \SystemRoot\System32\drivers\dxg.sys
BAEEF000 - \SystemRoot\System32\drivers\dxgthk.sys
BF9D5000 - \SystemRoot\System32\nv4_disp.dll
BAC20000 - \SystemRoot\system32\DRIVERS\aswFsBlk.sys
B5D24000 - \SystemRoot\system32\DRIVERS\ndisuio.sys
B5BA2000 - \SystemRoot\System32\Drivers\aswMon2.SYS
B59BE000 - \SystemRoot\system32\DRIVERS\mrxdav.sys
BADD0000 - \SystemRoot\System32\Drivers\ParVdm.SYS
B5854000 - \SystemRoot\system32\DRIVERS\srv.sys
B5817000 - \SystemRoot\system32\drivers\wdmaud.sys
B5AAA000 - \SystemRoot\system32\drivers\sysaudio.sys
B5A1A000 - \SystemRoot\System32\Drivers\aswRdr.SYS
B5264000 - \SystemRoot\System32\Drivers\HTTP.sys
B4FB9000 - \SystemRoot\system32\drivers\kmixer.sys
B4EF4000 - \SystemRoot\System32\Drivers\Fastfat.SYS
BAEEC000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

Total number of drivers = 119

List of installed programs

Adobe Flash Player ActiveX
Adobe Reader 7.0.8 - French
Age of Empires III
Age of Empires III
AntivirXP08
Apple Mobile Device Support
Apple Software Update
WinRAR Archiver
avast! Antivirus
CCleaner (remove only)
Patch for
0
verni29 Posted messages 6805 Status Security Contributor 180
 
Hello, Nico

While I'm looking at the 2 reports, could you restart MalwareBytes (as a precaution)?

Here’s the procedure:

You've already downloaded the software and it's installed.

Restart the computer in safe mode (press F8 after rebooting).
Choose your user account.

To launch MalwareBytes, double-click on the shortcut on the desktop.

In the Search tab, select Run a full scan.
Click on search. Only select the hard drives of the computer.
Click on start the scan.

At the end of the search, as requested, click on view search results.
Then choose Deselect to clean the infections.
Post the report in your next message.
If you can't find it, open MalwareBytes and check in the Report/Logs tab. It's there.
Click on it and choose open.

See you soon.
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
Malware report, 3 infected files, which I deleted before emptying the quarantine:

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

11:28:01 12/07/2008
mbam-log-7-12-2008 (11-28-01).txt

Search type: Full scan (C:\|)
Items scanned: 109335
Elapsed time: 1 hour(s), 3 minute(s), 10 second(s)

Infected memory processes: 0
Infected memory modules: 0
Infected Registry keys: 1
Infected Registry values: 0
Infected data elements in the Registry: 0
Infected folders: 0
Infected files: 3

Infected memory processes:
(No harmful items detected)

Infected memory modules:
(No harmful items detected)

Infected Registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\poof (Rootkit.Agent) -> Quarantined and deleted successfully.

Infected Registry values:
(No harmful items detected)

Infected data elements in the Registry:
(No harmful items detected)

Infected folders:
(No harmful items detected)

Infected files:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080710-211540-240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080710-211540-427.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\byXRlLEt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
Well, the infections found were not (backup or quarantine from Combofix).

I will give you instructions to clean the PC afterward.

A word about two programs that have installed on your computer:
- AntivirXP08 should be removed by Malwarebytes.
- Malware protector by Combofix (that's done).
These are rogues (fake antispywares).
It is unnecessary and risky to install any other protection than the ones we will put in place.

There are plenty of fake sites for this type of product.
You must be careful.

One last thing before the cleanup:

Double-click on OTMoveIt.exe to launch it.
Copy the list found in the quote below and paste it into the left box of OTMoveIt under Paste List of Files/Folders to move.

C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys

Click on MoveIt! to start the deletion.
The result will appear in the "Results" box.
Click on Exit to close it.
Post the report located in C:\_OTMoveIt\MovedFiles.

Can you tell me how the PC is behaving?

Talk later.
0
nico > verni29 Posted messages 6805 Status Security Contributor
 
report moveit!

File/Folder C:\DOCUME~1\Nicolas\LOCALS~1\Temp\pnicml.sys not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07122008_115023

What do you mean by "computer behavior"?

How can I get Malware to remove antivirXP08?
0
verni29 Posted messages 6805 Status Security Contributor 180 > nico
 
Can you check in add/remove programs if AntiVirXP08 is present?
Don't try to uninstall it.

Have you used this software?
0
  • 1
  • 2