View original (French)

Again the CiD

doudoudim Posted messages 16 Status Membre -  
doudoudim Posted messages 16 Status Membre -
Hello,
Like many people, I have issues with ads from CiD that flood my screen and slow down my connection as soon as I turn on my computer. It is connected via Wi-Fi. After some research, I noticed that many people were talking about the Hijackthis report, so here is my report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:41, on 23/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orange\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\users\doudoudim\appdata\local\mgkqi.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\doudoudim\Documents\Mes fichiers reçus\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Help for Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Orange\AntivirusFirewall\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [VcTrust] "C:\ProgramData\Drivevgavga.im8lrz6"
O4 - HKCU\..\Run: [Store file readme bash] "C:\ProgramData\Bore Shim Cool.m3zmi"
O4 - HKCU\..\Run: [mgkqi] c:\users\doudoudim\appdata\local\mgkqi.exe mgkqi
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://copainsdavant.linternaute.com/html_include_bibliotheque/objimageuploader/5.0.15.0/ImageUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5287 bytes

Can someone tell me what to do now because I'm not a computer pro?

Thank you to all Internet users in advance.
Configuration: Windows Vista Internet Explorer 7.0

13 réponses

Réponse 1 / 13
jlpjlp Posted messages 52399 Status Contributeur sécurité 5 041
 
slt

for cid that we see here

O4 - HKCU\..\Run: [VcTrust] "C:\ProgramData\Drivevgavga.im8lrz6"
O4 - HKCU\..\Run: [Store file readme bash] "C:\ProgramData\Bore Shim Cool.m3zmi"

do this

you download Lop S&D.exe to your Desktop.https://77b4795d-a-62cb3a1a-s-sites.googlegroups.com/site/eric71mespages/LopSD.exe?attachauth=ANoY7co3ntqUavpZ3q1BG-h4pc13vqDZmhcNeEPChtsyrgAykRbhE8bZzhk979EfQD4AgwtQUHCaQ7ZQwNYMo3_0kA8htAspckDJtu2K5t6J9z6dLW4fpZyH4FpFL1tVMBZ8H-KnN7afZ5vt-WxZRpnynk-a0XmV_Y0C0q6DxGEDKie1TnPT7gFoZnoCnspzBmbW6ZzxA4fNr3oEDlbelNZON-LjF8nOmQ%3D%3D&attredirects=2

* Double-click on it to start the installation
* Then double-click on the Lop S&D shortcut present on your Desktop
* Select the desired language, then choose option 1 (Search)
* Wait until the scan is complete
* Post the generated report (C:\lopR.txt)

_________

then for the navipromo infection removed by malwarebytes:
here
O4 - HKCU\..\Run: [mgkqi] c:\users\doudoudim\appdata\local\mgkqi.exe mgkqi

do this just in case:

Disable User Account Control (you will reactivate it after your disinfection):

- Go to start then control panel
- Double click on the "User Accounts" icon
- Then click on disable and confirm.

Now download Navilog1 from this link:

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

Save the target (of the link) as... and save it on your desktop.
Then double click on navilog1.exe to start the installation.
Once the installation is complete, Right-click on the Navilog1 shortcut present on your desktop and choose "Run

as administrator".

In the main menu, select option 1
Let yourself be guided and wait.
Wait until the message:
*** Analysis Completed ..... ***
Press a key and the notepad will open.
Copy and paste the entire report into a reply.
Close the notepad
The report fixnavi.txt is also saved in %systemdrive%.
1
Réponse 2 / 13
cruchot10 Posted messages 262 Status Membre 27
 
Hello

Fix the following lines

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Run: [VcTrust] "C:\ProgramData\Drivevgavga.im8lrz6"
O4 - HKCU\..\Run: [Store file readme bash] "C:\ProgramData\Bore Shim Cool.m3zmi"
O4 - HKCU\..\Run: [mgkqi] c:\users\doudoudim\appdata\local\mgkqi.exe mgkqi

Then download Malwarebytes Anti-Malware, install it, update it, start your PC in safe mode, run a full scan, and delete what it found. Also delete the files in quarantine, restart your PC normally, and that should be fine. Then come back to the forum and let us know how it goes.
0
doudoudim Posted messages 16 Status Membre
 
What is "fix"?
0
doudoudim Posted messages 16 Status Membre
 
I just did what you asked me, I'm still receiving CiD, here is the Malware report:

Malwarebytes' Anti-Malware 1.22
Database version: 982
Windows 6.0.6000

16:25:19 23/07/2008
mbam-log-7-23-2008 (16-25-19).txt

Scan type: Full scan (C:\|D:\|)
Items examined: 134769
Elapsed time: 2 hour(s), 1 minute(s), 42 second(s)

Infected memory process(es): 0
Infected memory module(s): 0
Infected registry key(s): 1
Infected registry value(s): 0
Infected registry data item(s): 0
Infected folder(s): 0
Infected file(s): 4

Infected memory process(es):
(No harmful item detected)

Infected memory module(s):
(No harmful item detected)

Infected registry key(s):
HKEY_CURRENT_USER\SOFTWARE\ParisHilton (Adware.NaviPromo) -> Quarantined and deleted successfully.

Infected registry value(s):
(No harmful item detected)

Infected registry data item(s):
(No harmful item detected)

Infected folder(s):
(No harmful item detected)

Infected file(s): C:\Users\doudoudim\Local Settings\Application Data\mgkqi_navps.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Users\doudoudim\Local Settings\Application Data\mgkqi_nav.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Users\doudoudim\Local Settings\Application Data\mgkqi.dat (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Users\doudoudim\Local Settings\Application Data\mgkqi.exe (Adware.Navipromo) -> Delete on reboot.

I'm doing another Hijackthis and here is the report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49:27, on 23/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orange\AntivirusFirewall\FSGUI\fsguidll.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Users\doudoudim\Documents\My received files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Help for Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Assistant Help Program - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Orange\AntivirusFirewall\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [VcTrust] "C:\ProgramData\Drivevgavga.im8lrz6"
O4 - HKCU\..\Run: [Store file readme bash] "C:\ProgramData\Bore Shim Cool.m3zmi"
O4 - HKCU\..\Run: [mgkqi] c:\users\doudoudim\appdata\local\mgkqi.exe mgkqi
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://copainsdavant.linternaute.com/html_include_bibliotheque/objimageuploader/5.0.15.0/ImageUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5648 bytes


What should I do now?

Thanks for your reply!

Doudou
0
doudoudim Posted messages 16 Status Membre
 
Oops, I just found the famous "fix" (didn't read the window properly) I'm restarting Malware.....
0
Réponse 3 / 13
doudoudim
 
A simple question, what is "fix"? I'm not a computer expert so the terms.....

Thank you
0
Réponse 4 / 13
doudoudim Posted messages 16 Status Membre
 
I did what you told me, but there's no change, just as many CiDs, anything else to do?

Anyone to help me?
0
Réponse 5 / 13
doudoudim Posted messages 16 Status Membre
 
here is the first step, the LOP report:

--------------------\\ Lop S&D 4.2.2-3 XP/Vista

[ Windows VISTA (NT 6.0) Workstation Build 6000 ]
[ USER : doudoudim ] [ "C:\Lop SD" ] [ Selection : 1 ]
[ 23/07/2008 | 19:22:10,10 ] [ PC : LOLA ]
[ LAST UPDATE : 22-07-2008 | 17:35 ]
[ UAC => 0 ]

--------------------\\ Listing of folders in

[16/04/2008|11:46] C:\Users\DOUDOU~1\AppData\Local\Adobe
[10/03/2008|20:36] C:\Users\DOUDOU~1\AppData\Local\Application Data
[11/03/2008|00:44] C:\Users\DOUDOU~1\AppData\Local\Apps
[11/03/2008|00:35] C:\Users\DOUDOU~1\AppData\Local\d3d8caps.dat
[11/03/2008|00:35] C:\Users\DOUDOU~1\AppData\Local\d3d9caps.dat
[23/07/2008|16:26] C:\Users\DOUDOU~1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[06/06/2008|19:05] C:\Users\DOUDOU~1\AppData\Local\GDIPFONTCACHEV1.DAT
[10/03/2008|20:36] C:\Users\DOUDOU~1\AppData\Local\History
[23/07/2008|17:56] C:\Users\DOUDOU~1\AppData\Local\IconCache.db
[25/03/2008|12:17] C:\Users\DOUDOU~1\AppData\Local\Microsoft
[23/07/2008|13:00] C:\Users\DOUDOU~1\AppData\Local\tanah.bat
[23/07/2008|19:22] C:\Users\DOUDOU~1\AppData\Local\Temp
[10/03/2008|20:36] C:\Users\DOUDOU~1\AppData\Local\Temporary Internet Files
[12/04/2008|13:49] C:\Users\DOUDOU~1\AppData\Local\VirtualStore

--------------------\\ Scheduled tasks in C:\Windows\tasks

[23/07/2008 19:00][--a------] C:\Windows\tasks\One click Maintenance.job
[05/07/2008 15:54][--a------] C:\Windows\tasks\AppleSoftwareUpdate.job
[23/07/2008 17:57][--ah-----] C:\Windows\tasks\SA.DAT
[23/07/2008 17:56][--a------] C:\Windows\tasks\SCHEDLGU.TXT

--------------------\\ Listing of folders in C:\ProgramData

[06/06/2008|21:40] C:\ProgramData\Active the bore sect
[06/06/2008|08:35] C:\ProgramData\Adobe
[11/03/2008|23:03] C:\ProgramData\Apple Computer
[02/11/2006|14:59] C:\ProgramData\Application Data
[23/06/2008|21:17] C:\ProgramData\Bore Shim Cool.m3zmi
[10/03/2008|20:31] C:\ProgramData\Desktop
[23/06/2008|21:17] C:\ProgramData\city about store file
[02/11/2006|14:59] C:\ProgramData\Desktop
[02/11/2006|14:59] C:\ProgramData\Documents
[23/06/2008|21:17] C:\ProgramData\DOESAMENHOLD
[23/06/2008|21:14] C:\ProgramData\Drivevgavga.8tlzanx
[23/07/2008|17:34] C:\ProgramData\Drivevgavga.9j3xv
[23/06/2008|21:14] C:\ProgramData\Drivevgavga.im8lrz6
[23/07/2008|16:57] C:\ProgramData\Drivevgavga.nt3a0np
[06/06/2008|21:39] C:\ProgramData\Drivevgavga.q39km1
[14/04/2008|23:34] C:\ProgramData\Drivevgavga.uqq3tep
[13/05/2008|19:57] C:\ProgramData\Drivevgavga.wsugnh
[10/03/2008|20:31] C:\ProgramData\Favorites
[02/11/2006|14:59] C:\ProgramData\Favorites
[06/06/2008|22:14] C:\ProgramData\F-Secure
[06/06/2008|22:12] C:\ProgramData\fssg
[09/07/2008|21:41] C:\ProgramData\Installations
[11/03/2008|00:59] C:\ProgramData\Kaspersky Lab Setup Files
[23/07/2008|14:20] C:\ProgramData\Malwarebytes
[10/03/2008|20:31] C:\ProgramData\Start Menu
[29/04/2008|14:43] C:\ProgramData\Microsoft
[10/03/2008|20:31] C:\ProgramData\Templates
[02/05/2008|08:19] C:\ProgramData\Trymedia
[06/07/2008|22:12] C:\ProgramData\TuneUp Software
[23/03/2008|17:53] C:\ProgramData\WLInstaller

--------------------\\ Listing of folders in C:\Program Files

[27/06/2008|21:12] C:\Program Files\Adobe
[16/06/2008|15:52] C:\Program Files\Ahead
[14/04/2008|21:49] C:\Program Files\Alwil Software
[11/03/2008|00:24] C:\Program Files\Apoint2K
[11/03/2008|23:02] C:\Program Files\Apple Software Update
[02/05/2008|11:19] C:\Program Files\ArcSoft
[02/05/2008|08:19] C:\Program Files\BFG
[22/06/2008|14:07] C:\Program Files\Circle Developement
[22/07/2008|14:42] C:\Program Files\Common Files
[11/03/2008|00:23] C:\Program Files\CONEXANT
[10/07/2008|17:54] C:\Program Files\desktop.ini
[10/03/2008|20:31] C:\Program Files\Common Files [C:\Program Files\Common Files]
[02/05/2008|11:19] C:\Program Files\InstallShield Installation Information
[14/06/2008|22:27] C:\Program Files\Internet Explorer
[06/06/2008|19:55] C:\Program Files\Inventel
[14/04/2008|23:19] C:\Program Files\Java
[23/07/2008|14:20] C:\Program Files\Malwarebytes' Anti-Malware
[25/03/2008|09:52] C:\Program Files\Microsoft ActiveSync
[02/11/2006|14:35] C:\Program Files\Microsoft Games
[25/03/2008|09:49] C:\Program Files\Microsoft Office
[11/03/2008|05:07] C:\Program Files\Movie Maker
[02/11/2006|14:35] C:\Program Files\MSBuild
[02/11/2006|14:35] C:\Program Files\MSN
[06/06/2008|20:38] C:\Program Files\MSXML 4.0
[09/07/2008|21:39] C:\Program Files\Nokia
[06/06/2008|22:12] C:\Program Files\Orange
[05/06/2008|21:18] C:\Program Files\PC Connectivity Solution
[11/03/2008|23:04] C:\Program Files\QuickTime
[02/11/2006|14:35] C:\Program Files\Reference Assemblies
[11/03/2008|00:22] C:\Program Files\S3
[06/07/2008|22:13] C:\Program Files\TuneUp Utilities 2008
[02/11/2006|14:58] C:\Program Files\Uninstall Information
[11/03/2008|00:58] C:\Program Files\VideoLAN
[24/03/2008|00:40] C:\Program Files\Windows Calendar
[11/03/2008|05:07] C:\Program Files\Windows Collaboration
[24/03/2008|00:40] C:\Program Files\Windows Defender
[23/03/2008|18:19] C:\Program Files\Windows Live
[09/07/2008|22:47] C:\Program Files\Windows Mail
[02/05/2008|11:11] C:\Program Files\Windows Media Player
[10/03/2008|20:31] C:\Program Files\Windows NT
[11/03/2008|05:07] C:\Program Files\Windows Photo Gallery
[24/03/2008|00:40] C:\Program Files\Windows Sidebar
[11/03/2008|00:56] C:\Program Files\WinRAR

--------------------\\ Listing of folders in C:\Program Files\Common Files

[03/04/2008|08:19] C:\Program Files\Common Files\Adobe
[15/06/2008|23:05] C:\Program Files\Common Files\Ahead
[25/03/2008|09:51] C:\Program Files\Common Files\Designer
[02/05/2008|11:11] C:\Program Files\Common Files\InstallShield
[14/04/2008|22:14] C:\Program Files\Common Files\Java
[07/06/2008|12:17] C:\Program Files\Common Files\microsoft shared
[09/07/2008|21:36] C:\Program Files\Common Files\Nokia
[22/07/2008|14:42] C:\Program Files\Common Files\PCSuite
[02/11/2006|13:18] C:\Program Files\Common Files\Services
[02/11/2006|13:18] C:\Program Files\Common Files\SpeechEngines
[25/03/2008|09:49] C:\Program Files\Common Files\System
[23/03/2008|18:19] C:\Program Files\Common Files\WindowsLiveInstaller
[06/07/2008|22:10] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 61 Processes )

iexplore.exe ~ [636]
iexplore.exe ~ [2812]

--------------------\\ Search with S_Lop

C:\ProgramData\Bore Shim Cool.m3zmi
C:\ProgramData\Drivevgavga.9j3xv
C:\ProgramData\Drivevgavga.q39km1
C:\ProgramData\Drivevgavga.wsugnh
C:\ProgramData\Drivevgavga.8tlzanx
C:\ProgramData\Drivevgavga.im8lrz6
C:\ProgramData\Drivevgavga.nt3a0np
C:\ProgramData\Drivevgavga.uqq3tep

--------------------\\ Search for Lop Files / Folders

C:\ProgramData\Active the bore sect
C:\ProgramData\city about store file
C:\ProgramData\city about store file\anti help.exe
C:\Program Files\Circle Developement
C:\Program Files\Circle Developement\Uninstall.0xe
C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies\doudoudim@adin.bigpoint[2].txt
C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies\doudoudim@bigpoint[1].txt
C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies\doudoudim@fr1.seafight.bigpoint[1].txt
C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies\doudoudim@adopt.euroclick[2].txt
C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies\doudoudim@fr1.seafight.bigpoint[1].txt

--------------------\\ Registry Verification

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VcTrust"="\"C:\\ProgramData\\Drivevgavga.9j3xv\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

--------------------\\ Hosts file verification

Hosts file CLEAN

--------------------\\ File search with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 19:22:46
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 94

--------------------\\ Search for other infections

No other infections found!

[F:104][D:8]-> C:\Users\DOUDOU~1\AppData\Local\Temp
[F:323][D:1]-> C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies
[F:857][D:4]-> C:\Users\DOUDOU~1\AppData\Local\MICROS~1\Windows\TEMPOR~1\content.IE5
[F:5][D:3]-> C:\$Recycle.Bin

--------------------\\ End of report at 19:24:07,37
[ UAC => 1 ]
0
Réponse 6 / 13
jlpjlp Posted messages 52399 Status Contributeur sécurité 5 041
 
OK, redo the SD loop and choose option 2 and paste the report

and paste the navilog report

see you later
0
Réponse 7 / 13
doudoudim Posted messages 16 Status Membre
 
Here is the Navilog1 report:

Search Navipromo version 3.6.1 started on 07/23/2008 at 19:32:57.66

!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!
!!! Do not start the disinfecting part without the advice of a specialist!!!

Tool executed from C:\Program Files\navilog1
Current session: "doudoudim"

Updated on 07/19/2008 at 20:00 by IL-MAFIOSO

Microsoft Windows Vista 6.0.6000
Internet Explorer: 7.0.6000.16681
File system: NTFS

Search executed in normal mode

*** Search Installed Programs ***

*** Searching directories in "C:\Windows" ***

*** Searching directories in "C:\Program Files" ***

*** Searching directories in "c:\progra~2\micros~1\windows\startm~1\programs" ***

*** Searching directories in "c:\progra~2\micros~1\windows\startm~1" ***

*** Searching directories in "C:\ProgramData" ***

*** Searching directories in "c:\users\doudou~1\appdata\roaming\micros~1\windows\startm~1\programs" ***

*** Searching directories in "C:\Users\doudoudim\AppData\Local\virtualstore\Program Files" ***

*** Searching directories in "C:\Users\DOUDOU~1\AppData\Roaming" ***

*** Searching with Catchme-rootkit/stealth malware detector by gmer ***
for more info: http://www.gmer.net

No Navipromo files found

*** Searching with GenericNaviSearch ***
!!! All of these results may reveal legitimate files!!!
!!! Must be verified before any manual deletion!!!

* Searching in "C:\Windows\system32" *

* Searching in "C:\Users\doudoudim\AppData\Local\Microsoft" *

* Searching in "C:\Users\doudoudim\AppData\Local" *

*** Searching files ***

*** Searching specific keys in the Registry ***

*** Additional Search Module ***
(Searching specific files)

1) Searching for new Instant Access files:

2) Heuristic Search:

* In "C:\Windows\system32":

* In "C:\Users\doudoudim\AppData\Local\Microsoft":

* In "C:\Users\doudoudim\AppData\Local":

3) Searching Certificates:

Egroup Certificate found!
Electronic-Group Certificate found!
OOO-Favorit Certificate found!
Sunny-Day-Design-Ltd Certificate absent!

4) Searching known files:

*** Analysis completed on 07/23/2008 at 19:45:30.93 ***
0
Réponse 8 / 13
doudoudim Posted messages 16 Status Membre
 
Here is the Lop sd report option 2:

Search Navipromo version 3.6.1 started on 07/23/2008 at 19:32:57.66

!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!
!!! Do not start the disinfection process without the advice of a specialist!!!

Tool executed from C:\Program Files\navilog1
Current session: "doudoudim"

Updated on 07/19/2008 at 20:00 by IL-MAFIOSO

Microsoft Windows Vista 6.0.6000
Internet Explorer: 7.0.6000.16681
File system: NTFS

Search executed in normal mode

*** Search installed programs ***

*** Search folders in "C:\Windows" ***

*** Search folders in "C:\Program Files" ***

*** Search folders in "c:\progra~2\micros~1\windows\startm~1\programs" ***

*** Search folders in "c:\progra~2\micros~1\windows\startm~1" ***

*** Search folders in "C:\ProgramData" ***

*** Search folders in "c:\users\doudou~1\appdata\roaming\micros~1\windows\startm~1\programs" ***

*** Search folders in "C:\Users\doudoudim\AppData\Local\virtualstore\Program Files" ***

*** Search folders in "C:\Users\DOUDOU~1\AppData\Roaming" ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info: http://www.gmer.net

No Navipromo file found

*** Search with GenericNaviSearch ***
!!! All these results may reveal legitimate files!!!
!!! Must be verified before any manual deletion!!!

* Search in "C:\Windows\system32" *

* Search in "C:\Users\doudoudim\AppData\Local\Microsoft" *

* Search in "C:\Users\doudoudim\AppData\Local" *

*** Search files ***

*** Search specific keys in the Registry ***

*** Additional Search Module ***
(Search specific files)

1) Search for new Instant Access files:

2) Heuristic Search:

* In "C:\Windows\system32":

* In "C:\Users\doudoudim\AppData\Local\Microsoft":

* In "C:\Users\doudoudim\AppData\Local":

3) Search for Certificates:

Certificate Egroup found!
Certificate Electronic-Group found!
Certificate OOO-Favorit found!
Certificate Sunny-Day-Design-Ltd absent!

4) Search for known files:

*** Analysis completed on 07/23/2008 at 19:45:30.93 ***
0
Réponse 9 / 13
jlpjlp Posted messages 52399 Status Contributeur sécurité 5 041
 
Sure, redo the lop sd and choose option 2 and paste the report

and redo navilog with option 2 and paste the report

and paste a new hijackthis

and say if there are still any cid ads or other issues

see you later
0
Réponse 10 / 13
doudoudim Posted messages 16 Status Membre
  
Report LOP SD option 2 : 

--------------------\\ Lop S&D 4.2.2-3 XP/Vista 
 
 [ Windows VISTA (NT 6.0) Workstation Build 6000 ] 
 [ USER : doudoudim ] [ "C:\Lop SD" ] [ Selection : 2 ] 
 [ 23/07/2008 | 20:09:49,82 ] [ PC : LOLA ] 
 [ MAJ : 22-07-2008 | 17:35 ] 
 [ UAC => 0 ] 

//////////////////////////////////////-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

--------------------\\ Listing of folders in 
 
 [16/04/2008|11:46] C:\Users\DOUDOU~1\AppData\Local\Adobe 
 [10/03/2008|20:36] C:\Users\DOUDOU~1\AppData\Local\Application Data 
 [11/03/2008|00:44] C:\Users\DOUDOU~1\AppData\Local\Apps 
 [11/03/2008|00:35] C:\Users\DOUDOU~1\AppData\Local\d3d8caps.dat 
 [11/03/2008|00:35] C:\Users\DOUDOU~1\AppData\Local\d3d9caps.dat 
 [23/07/2008|16:26] C:\Users\DOUDOU~1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 
 [06/06/2008|19:05] C:\Users\DOUDOU~1\AppData\Local\GDIPFONTCACHEV1.DAT 
 [10/03/2008|20:36] C:\Users\DOUDOU~1\AppData\Local\Historique 
 [23/07/2008|20:00] C:\Users\DOUDOU~1\AppData\Local\IconCache.db 
 [23/07/2008|19:45] C:\Users\DOUDOU~1\AppData\Local\Microsoft 
 [23/07/2008|13:00] C:\Users\DOUDOU~1\AppData\Local\tanah.bat 
 [23/07/2008|20:09] C:\Users\DOUDOU~1\AppData\Local\Temp 
 [10/03/2008|20:36] C:\Users\DOUDOU~1\AppData\Local\Temporary Internet Files 
 [12/04/2008|13:49] C:\Users\DOUDOU~1\AppData\Local\VirtualStore 
 
 --------------------\\ Scheduled tasks in C:\Windows\tasks 
 
 [23/07/2008 20:03][--a------] C:\Windows\tasks\1-click Maintenance.job 
 [05/07/2008 15:54][--a------] C:\Windows\tasks\AppleSoftwareUpdate.job 
 [23/07/2008 20:09][--ah-----] C:\Windows\tasks\SA.DAT 
 [23/07/2008 20:08][--a------] C:\Windows\tasks\SCHEDLGU.TXT 
 
 --------------------\\ Listing of folders in C:\ProgramData 
 
 [06/06/2008|08:35] C:\ProgramData\Adobe 
 [11/03/2008|23:03] C:\ProgramData\Apple Computer 
 [02/11/2006|14:59] C:\ProgramData\Application Data 
 [10/03/2008|20:31] C:\ProgramData\Desktop 
 [02/11/2006|14:59] C:\ProgramData\Desktop 
 [02/11/2006|14:59] C:\ProgramData\Documents 
 [23/06/2008|21:17] C:\ProgramData\DOESAMENHOLD 
 [10/03/2008|20:31] C:\ProgramData\Favorites 
 [02/11/2006|14:59] C:\ProgramData\Favorites 
 [06/06/2008|22:14] C:\ProgramData\F-Secure 
 [06/06/2008|22:12] C:\ProgramData\fssg 
 [09/07/2008|21:41] C:\ProgramData\Installations 
 [11/03/2008|00:59] C:\ProgramData\Kaspersky Lab Setup Files 
 [23/07/2008|14:20] C:\ProgramData\Malwarebytes 
 [10/03/2008|20:31] C:\ProgramData\Start Menu 
 [29/04/2008|14:43] C:\ProgramData\Microsoft 
 [10/03/2008|20:31] C:\ProgramData\Templates 
 [02/05/2008|08:19] C:\ProgramData\Trymedia 
 [06/07/2008|22:12] C:\ProgramData\TuneUp Software 
 [23/03/2008|17:53] C:\ProgramData\WLInstaller 
 
 --------------------\\ Listing of folders in C:\Program Files 
 
 [27/06/2008|21:12] C:\Program Files\Adobe 
 [16/06/2008|15:52] C:\Program Files\Ahead 
 [14/04/2008|21:49] C:\Program Files\Alwil Software 
 [11/03/2008|00:24] C:\Program Files\Apoint2K 
 [11/03/2008|23:02] C:\Program Files\Apple Software Update 
 [02/05/2008|11:19] C:\Program Files\ArcSoft 
 [02/05/2008|08:19] C:\Program Files\BFG 
 [22/07/2008|14:42] C:\Program Files\Common Files 
 [11/03/2008|00:23] C:\Program Files\CONEXANT 
 [10/07/2008|17:54] C:\Program Files\desktop.ini 
 [10/03/2008|20:31] C:\Program Files\Common Files [C:\Program Files\Common Files] 
 [02/05/2008|11:19] C:\Program Files\InstallShield Installation Information 
 [14/06/2008|22:27] C:\Program Files\Internet Explorer 
 [06/06/2008|19:55] C:\Program Files\Inventel 
 [14/04/2008|23:19] C:\Program Files\Java 
 [23/07/2008|14:20] C:\Program Files\Malwarebytes' Anti-Malware 
 [25/03/2008|09:52] C:\Program Files\Microsoft ActiveSync 
 [02/11/2006|14:35] C:\Program Files\Microsoft Games 
 [25/03/2008|09:49] C:\Program Files\Microsoft Office 
 [11/03/2008|05:07] C:\Program Files\Movie Maker 
 [02/11/2006|14:35] C:\Program Files\MSBuild 
 [02/11/2006|14:35] C:\Program Files\MSN 
 [06/06/2008|20:38] C:\Program Files\MSXML 4.0 
 [23/07/2008|19:45] C:\Program Files\Navilog1 
 [09/07/2008|21:39] C:\Program Files\Nokia 
 [06/06/2008|22:12] C:\Program Files\Orange 
 [05/06/2008|21:18] C:\Program Files\PC Connectivity Solution 
 [11/03/2008|23:04] C:\Program Files\QuickTime 
 [02/11/2006|14:35] C:\Program Files\Reference Assemblies 
 [11/03/2008|00:22] C:\Program Files\S3 
 [06/07/2008|22:13] C:\Program Files\TuneUp Utilities 2008 
 [02/11/2006|14:58] C:\Program Files\Uninstall Information 
 [11/03/2008|00:58] C:\Program Files\VideoLAN 
 [24/03/2008|00:40] C:\Program Files\Windows Calendar 
 [11/03/2008|05:07] C:\Program Files\Windows Collaboration 
 [24/03/2008|00:40] C:\Program Files\Windows Defender 
 [23/03/2008|18:19] C:\Program Files\Windows Live 
 [09/07/2008|22:47] C:\Program Files\Windows Mail 
 [02/05/2008|11:11] C:\Program Files\Windows Media Player 
 [10/03/2008|20:31] C:\Program Files\Windows NT 
 [11/03/2008|05:07] C:\Program Files\Windows Photo Gallery 
 [24/03/2008|00:40] C:\Program Files\Windows Sidebar 
 [11/03/2008|00:56] C:\Program Files\WinRAR 
 
 --------------------\\ Listing of folders in C:\Program Files\Common Files 
 
 [03/04/2008|08:19] C:\Program Files\Common Files\Adobe 
 [15/06/2008|23:05] C:\Program Files\Common Files\Ahead 
 [25/03/2008|09:51] C:\Program Files\Common Files\Designer 
 [02/05/2008|11:11] C:\Program Files\Common Files\InstallShield 
 [14/04/2008|22:14] C:\Program Files\Common Files\Java 
 [07/06/2008|12:17] C:\Program Files\Common Files\microsoft shared 
 [09/07/2008|21:36] C:\Program Files\Common Files\Nokia 
 [22/07/2008|14:42] C:\Program Files\Common Files\PCSuite 
 [02/11/2006|13:18] C:\Program Files\Common Files\Services 
 [02/11/2006|13:18] C:\Program Files\Common Files\SpeechEngines 
 [25/03/2008|09:49] C:\Program Files\Common Files\System 
 [23/03/2008|18:19] C:\Program Files\Common Files\WindowsLiveInstaller 
 [06/07/2008|22:10] C:\Program Files\Common Files\Wise Installation Wizard 
 
 --------------------\\ Process 
 
 ( 37 Processes ) 
 
 ... OK ! 
 
 --------------------\\ Search with S_Lop 
 
 No Lop file/folder found! 
 
 --------------------\\ Search for Lop Files/Folders 
 
 No Lop file/folder found! 
 
 --------------------\\ Registry Verification 
 
 ..... OK ! 
 
 --------------------\\ Hosts file verification 
 
 Hosts file CLEAN 

--------------------\\ Search for files with Catchme 
 
 catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net 
 Rootkit scan 2008-07-23 20:10:07 
 Windows 6.0.6000 NTFS 
 scanning hidden processes ... 
 scanning hidden files ... 
 scan completed successfully 
 hidden processes: 0 
 hidden files: 94 
 
 --------------------\\ Search for other infections 

No other infection found! 
 
 [F:104][D:8]-> C:\Users\DOUDOU~1\AppData\Local\Temp 
 [F:331][D:1]-> C:\Users\DOUDOU~1\AppData\Roaming\MICROS~1\Windows\Cookies 
 [F:1276][D:4]-> C:\Users\DOUDOU~1\AppData\Local\MICROS~1\Windows\TEMPOR~1\content.IE5 
 [F:9][D:3]-> C:\$Recycle.Bin 
 
 --------------------\\ End of report at 20:14:54,76 
 [ UAC => 1 ] 

Navilog report option 2 :  
 
Clean Navipromo version 3.6.1 started on 23/07/2008 at 20:15:53,96 
 
Tool executed from C:\Program Files\navilog1 
Current session : "doudoudim" 
 
Updated on 19.07.2008 at 20:00 by IL-MAFIOSO 
 
Microsoft Windows Vista 6.0.6000 
Internet Explorer : 7.0.6000.16681 
File system : NTFS 
 
Automatic deletion mode 
with support for Catchme and GNS results 

Cleaning performed on reboot of the computer 

*** fsbl1.txt not found *** 
(Ensure that Catchme found nothing during the search) 

*** Deleting with backups results GenericNaviSearch *** 
 
* Deleting in "C:\Windows\System32" * 

* Deleting in "C:\Users\doudoudim\AppData\Local\Microsoft" * 

* Deleting in "C:\Users\doudoudim\AppData\Local" * 

*** Deleting folders in "C:\Windows" *** 

*** Deleting folders in "C:\Program Files" *** 

*** Deleting folders in "c:\progra~2\micros~1\windows\startm~1\programs" *** 

*** Deleting folders in "c:\progra~2\micros~1\windows\startm~1" *** 

*** Deleting folders in "C:\ProgramData" *** 

*** Deleting folders in c:\users\doudou~1\appdata\roaming\micros~1\windows\startm~1\programs *** 

*** Deleting folders in "C:\Users\doudoudim\AppData\Local\virtualstore\Program Files" *** 

*** Deleting folders in "C:\Users\doudoudim\AppData\Roaming" *** 

*** Deleting files *** 

*** Deleting temporary files *** 
 
Cleaning content C:\Windows\Temp completed! 
Cleaning content C:\Users\DOUDOU~1\AppData\Local\Temp completed! 
 
*** Processing Additional Search *** 
(Searching specific files) 
 
1) Deleting with backups new Instant Access files: 
 
2) Searching, creating backups and heuristic deleting: 

* In "C:\Windows\system32" * 

* In "C:\Users\doudoudim\AppData\Local\Microsoft" * 

* In "C:\Users\doudoudim\AppData\Local" * 

*** Registry Backup to Safebackup folder *** 
 
Registry backup completed successfully! 
 
*** Registry Cleaning *** 
 
Registry cleaning OK 

*** Certificates *** 
 
Certificate Egroup deleted! 
Certificate Electronic-Group deleted! 
Certificate OOO-Favorit deleted! 
Certificate Sunny-Day-Design-Ltd absent! 

*** Cleaning completed on 23/07/2008 at 20:24:24,52 *** 
 
Hijackthis report :  
 
Logfile of Trend Micro HijackThis v2.0.2 
Scan saved at 20:29:57, on 23/07/2008 
Platform: Windows Vista (WinNT 6.00.1904) 
MSIE: Internet Explorer v7.00 (7.00.6000.16681) 
Boot mode: Normal 
 
Running processes: 
C:\Windows\system32\Dwm.exe 
C:\Windows\Explorer.EXE 
C:\Windows\system32\taskeng.exe 
C:\Program Files\Windows Defender\MSASCui.exe 
C:\Windows\System32\s3trayp.exe 
C:\Program Files\Apoint2K\Apoint.exe 
C:\Program Files\QuickTime\qttask.exe 
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe 
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 
C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE 
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe 
C:\Program Files\Windows Media Player\wmpnscfg.exe 
C:\Program Files\Apoint2K\Apntex.exe 
C:\Program Files\Orange\AntivirusFirewall\FSGUI\fsguidll.exe 
C:\Program Files\Internet Explorer\ieuser.exe 
C:\Windows\system32\conime.exe 
C:\Users\doudoudim\Documents\My received files\HiJackThis.exe 
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.orange.fr/portail 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Help for Adobe PDF Reader link - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll 
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) 
O2 - BHO: Windows Live Sign-in Assistant Help Program - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll 
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide 
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe 
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe 
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime 
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" 
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Orange\AntivirusFirewall\Common\FSM32.EXE" /splash 
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Orange\AntivirusFirewall\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW 
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe 
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup 
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe 
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE 
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll 
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll 
O13 - Gopher Prefix: 
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://copainsdavant.linternaute.com/html_include_bibliotheque/objimageuploader/5.0.15.0/ImageUploader5.cab 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab 
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe 
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FSAUA\program\fsaua.exe 
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe 
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE 
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe 
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe 
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe 
 
-- 
End of file - 5000 bytes 

For now, no CiD!!! 
However, can I uninstall Lop SD, Hijackthis, and Navilog if no CiD comes back??
0
Réponse 11 / 13
jlpjlp Posted messages 52399 Status Contributeur sécurité 5 041
 
Restart HijackThis, choose "do a scan only", check the box in front of the lines below and click on "fix checked" at the bottom.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

__________________

to remove what we used:

Download ToolsCleaner to your desktop.
--> http://www.commentcamarche.net/telecharger/telecharger 34055291 toolscleaner
# Click on Search and let the scan run ...
# Click on Delete to finalize.
# You can, if you wish, use the Optional settings.
# Click on Exit to obtain the report.
# Post the report (TCleaner.txt) that can be found at the root of your hard drive (C:\).

ps: no need to send me the report if everything has been deleted ;-)

________________

to be a little better protected install spybot without activating the tea timer during installation

https://www.01net.com/telecharger/windows/Securite/anti-spyware/fiches/26157.html

that's it, it's done

have a good day
0
doudoudim Posted messages 16 Status Membre
 
tools cleaner is not working "not responding". Is there another solution?
0
doudoudim Posted messages 16 Status Membre
 
With a little patience, here is the report (this is not the one from the C: drive because access for recording was denied). A good number of things have not been deleted, let me know what you think!!!

-->- Search:

C:\Lop SD: found!
C:\Lop SD\Lop S&D.lnk: found!
C:\Program Files\Navilog1: found!
C:\Program Files\Navilog1\Navilog1.bat: found!
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Users\doudoudim\AppData\Roaming\Microsoft\Windows\Recent\HijackThis.lnk: found!
C:\Users\doudoudim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lop S&D: found!
C:\Users\doudoudim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lop S&D: found!
C:\Users\doudoudim\Desktop\Lop S&D.lnk: found!
C:\Users\doudoudim\Desktop\LopSD.exe: found!
C:\Users\doudoudim\Desktop\Navilog1.exe: found!
C:\Users\doudoudim\Documents\My received files\HijackThis.exe: found!
C:\Users\Public\Desktop\Navilog1.lnk: found!
C:\Windows.old\Documents and Settings\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\Documents and Settings\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\Documents and Settings\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Windows.old\Documents and Settings\doudoudim\AppData\Roaming\Microsoft\Windows\Recent\HijackThis.lnk: found!
C:\Windows.old\Documents and Settings\doudoudim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lop S&D: found!
C:\Windows.old\Documents and Settings\doudoudim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lop S&D: found!
C:\Windows.old\Documents and Settings\doudoudim\Desktop\Lop S&D.lnk: found!
C:\Windows.old\Documents and Settings\doudoudim\Desktop\LopSD.exe: found!
C:\Windows.old\Documents and Settings\doudoudim\Desktop\Navilog1.exe: found!
C:\Windows.old\Documents and Settings\doudoudim\Documents\My received files\HijackThis.exe: found!
C:\Windows.old\Documents and Settings\Public\Desktop\Navilog1.lnk: found!
C:\Windows.old\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Windows.old\ProgramData\Desktop\Navilog1.lnk: found!
C:\Windows.old\ProgramData\Desktop\Navilog1.lnk: found!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Windows.old\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: found!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1\Navilog1.lnk: found!
C:\Windows.old\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: found!
C:\Windows.old\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: found!

---------------------------------
-->- Deletion:

C:\Lop SD\Lop S&D.lnk: deleted!
C:\Program Files\Navilog1\Navilog1.bat: Deletion error!
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Users\doudoudim\AppData\Roaming\Microsoft\Windows\Recent\HijackThis.lnk: deleted!
C:\Users\doudoudim\Desktop\Lop S&D.lnk: deleted!
C:\Users\doudoudim\Desktop\LopSD.exe: deleted!
C:\Users\doudoudim\Desktop\Navilog1.exe: deleted!
C:\Users\doudoudim\Documents\My received files\HijackThis.exe: deleted!
C:\Users\Public\Desktop\Navilog1.lnk: deleted!
C:\Windows.old\Documents and Settings\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Windows.old\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Windows.old\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Windows.old\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1\Navilog1.lnk: Deletion error!
C:\Lop SD: deleted!
C:\Program Files\Navilog1: Deletion error!
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Users\doudoudim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lop S&D: Deletion error!
C:\Users\doudoudim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lop S&D: deleted!
C:\Windows.old\Documents and Settings\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\Documents and Settings\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\ProgramData\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\ProgramData\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!
C:\Windows.old\Users\All Users\Microsoft\Windows\Start Menu\Programs\Navilog1: Deletion error!


And still no CiD!!!!
0
Réponse 12 / 13
jlpjlp Posted messages 52399 Status Contributeur sécurité 5 041
 
OK, there’s still Navilog, remove it via your control panel like you usually do with other software.

Have a good continuation.
0
Réponse 13 / 13
doudoudim Posted messages 16 Status Membre
 
That's it, everything is working correctly, thanks again to jlpjlp for this help.
0