• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
Mark53

Unable to remove spywares Boran.g et Smitfraud-C

20 posts in this topic

Hi,

 

I'd like to draw your attention on these 2 spywares that can't be removed with Ad-aware (nor with other anti-spywares I tried). There are already hundreds of messages posted around the Net about how to remove these malwares, I guess I don't have to describe the problem once again.

 

The problem is simple : these malwares are loaded into memory and can't be removed just by deleting registry key values or files on hard disk.

 

I guess you really have to work on these, that's a real nuisance.

 

Without any efficient spywares available on the market, I'm obliged to spend hours trying solutions to remove the files on reboot and so on.

 

Thanks,

Mark

Share this post


Link to post
Share on other sites

Hi Mark53,

 

In order for the malware experts to assist you, please post scan-logs as set out in my post here: trojandownloader.Zlob, Malware that can be deleted but returns immediately

For the Ad-Aware log, Please make sure that you are using

Ad-aware SE Build 106r1

Note: If your version is 6.0 and not the SE, you need to uninstall the older version first and get the latest version from the above link, then install SE.

Then use the WebUpDate to get the latest Definition file SE1R124 19.09.2006

To do this Open Ad-aware - Click the WebUpDate

button at the top right hand side of the Ad-aware screen (The world globe).

Click "Connect"

Ad-aware will then download the latest Definition file for you.

To make sure it is updated , look at the main

Ad-aware screen, and look under "Initialization Status"

It should say the Latest Definition file.

then scan doing a "Full Scan"

and then post your logfile here by using the Add-Reply Feature.AddReplyButton.gif

By default, Logs are stored in: C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to

click Start, click Run

And type in and press ENTER: %appdata%

then click Lavasoft, then Ad-Aware and then Logs.

Scroll down to find the latest one that you have

(by date & time)

and open it, right Click, select all, copy

and then paste the contents of it here.

(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

 

-Configuring Ad-Aware Full-Scan

1) Start Ad-Aware SE

2) Click on the link "Check for updates now" press the connect button and follow the prompts to ensure you are up to date.

3) Press the start button and in the Preparing System Scan window select the option "Perform full system scan", click on "Search for negligible risk entries" so that it shows a red cross i.e. is deselected and click on "Search for low-risk threats" so that is shows green tick i.e. is selected.

4) Click the next button to start the full scan, when the scan finishes click on the show logfile button. In the log window right mouse click and select "Select all..." then right mouse click again and select "Copy to clipboard" then paste in a reply to this thread.

 

Note my advice in the post listed at the top, concerning possible delays ;)

 

Regards,

 

Spike

Share this post


Link to post
Share on other sites

Hi spike-nz,

 

I have Ad-aware Personal Edition, and the latest version.

 

Anyway, running Ad-aware generates a blue screen of death on my Windows XP Pro, so I have to solve this problem first before I apply your solutions.

 

Thanks,

Mark

Share this post


Link to post
Share on other sites

Hi spike-nz,

 

I've run both HijackThis and Ad-Aware in safe mode.

 

Here is the HijackThis log :

 

Logfile of HijackThis v1.99.1

Scan saved at 21:43:06, on 21/09/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\WINDOWS\TEMP\win243.tmp.exe

C:\VundoFix.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-internet.fr/welcome/?varcl...;version=501596

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html

O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll

O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

 

I precise I've already run Spybot to remove (temporarily) some of the malwares (Boran.g, etc) so they don't appear here. But their processes are still running. I still have Boran.g when I run Spybot...

 

I'm using Ad-Aware build 1.06r1 with the SE1R124 19.09.2006 definition file. After Spybot, I ran Ad-Aware.

 

Here is the Ad-Aware log file :

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:jeudi 21 septembre 2006 22:55:27

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R124 19.09.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 Possible New Malware 0(TAC index:3):2 total references

MRU List(TAC index:0):34 total references

Tracking Cookie(TAC index:3):9 total references

Win32.Backdoor.Agent(TAC index:10):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Reanalyze results after scanning before displaying results lists

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

21-09-2006 22:55:27 - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\KGD\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\KGD\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles

Description : list of recently used files in adobe reader

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\internet explorer

Description : last download directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\medialibraryui

Description : last selected node in the microsoft windows media player media library

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\player\recentfilelist

Description : list of recently used files in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\player\settings

Description : last open directory used in jasc paint shop pro

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\preferences

Description : last playlist index loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\microsoft management console\recent file list

Description : list of recent snap-ins used in the microsoft management console

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\applets\paint\recent file list

Description : list of files recently opened using microsoft paint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\applets\regedit

Description : last key accessed using the microsoft registry editor

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\applets\wordpad\recent file list

Description : list of recent files opened using wordpad

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\realnetworks\realplayer\6.0\preferences

Description : list of recent skins in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\realnetworks\realplayer\6.0\preferences

Description : list of recent clips in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\realnetworks\realplayer\6.0\preferences

Description : last login time in realplayer

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\winrar\dialogedithistory\extrpath

Description : winrar "extract-to" history

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 168

ThreadCreationTime : 21-09-2006 19:34:10

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 220

ThreadCreationTime : 21-09-2006 19:34:22

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 244

ThreadCreationTime : 21-09-2006 19:34:25

BasePriority : High

 

 

Win32.Backdoor.Agent Object Recognized!

Type : Process

Data : winrnt32.dll

TAC Rating : 10

Category : Virus

Comment : windpy32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Backdoor.Agent Object found in memory(C:\WINDOWS\system32\winrnt32.dll)

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 288

ThreadCreationTime : 21-09-2006 19:34:29

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Système d'exploitation Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Applications Services et Contrôleur

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. Tous droits réservés.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 300

ThreadCreationTime : 21-09-2006 19:34:29

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 460

ThreadCreationTime : 21-09-2006 19:34:32

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 504

ThreadCreationTime : 21-09-2006 19:34:32

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 572

ThreadCreationTime : 21-09-2006 19:34:33

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 852

ThreadCreationTime : 21-09-2006 19:35:19

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Système d'exploitation Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Explorateur Windows

InternalName : explorer

LegalCopyright : © Microsoft Corporation. Tous droits réservés.

OriginalFilename : EXPLORER.EXE

 

#:10 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 988

ThreadCreationTime : 21-09-2006 19:35:45

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

#:11 [vundofix.exe]

FilePath : C:\

ProcessID : 1188

ThreadCreationTime : 21-09-2006 19:42:35

BasePriority : Normal

FileVersion : 1.5.0

ProductVersion : 1.5.0

ProductName : Symantec Trojan.Vundo Removal Tool

CompanyName : Symantec Corporation

LegalCopyright : Copyright © 2004 Symantec Corporation

OriginalFilename : FixVundo.exe

 

#:12 [taskmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1520

ThreadCreationTime : 21-09-2006 20:54:00

BasePriority : High

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Système d'exploitation Microsoft® Windows®

CompanyName : Microsoft Corporation

FileDescription : Gestionnaire des tâches de Windows

InternalName : taskmgr

LegalCopyright : © Microsoft Corporation. Tous droits réservés.

OriginalFilename : taskmgr.exe

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 35

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 35

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 35

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:12

Value : Cookie:[email protected]/

Expires : 16-09-2026 00:22:42

LastSync : Hits:12

UseCount : 0

Hits : 12

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 20-09-2007 22:05:38

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:5

Value : Cookie:[email protected]/

Expires : 22-09-2006 07:42:50

LastSync : Hits:5

UseCount : 0

Hits : 5

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 17-09-2016 23:08:12

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/

Expires : 04-10-2006 23:11:50

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 17-09-2016 20:22:22

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 17-09-2016 23:51:12

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 19-03-2007 22:05:44

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:11

Value : Cookie:[email protected]/

Expires : 18-01-2038 02:00:00

LastSync : Hits:11

UseCount : 0

Hits : 11

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 9

Objects found so far: 44

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

0 Possible New Malware 0 Object Recognized!

Type : File

Data : mst74.tmp

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\KGD\Local Settings\Temp\

 

 

 

0 Possible New Malware 0 Object Recognized!

Type : File

Data : mst8A.tmp

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\KGD\Local Settings\Temp\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 46

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 46

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 46

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 46

 

23:24:25 Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:28:57.625

Objects scanned:243744

Objects identified:11

Objects ignored:0

New critical objects:11

 

 

I've run FixVundo.exe which popped up a windows saying all files have been deleted but the pop-ups written in Italian are still appearing...

 

Right after Ad-Aware stopped removing the malwares, I got a blue screen of death because of winlogon.exe. This file is infected but I guess it is a necessary component for the system, so when Ad-Aware unloads it, it makes the system crash.

 

In a word, none of the solutions worked out. I still have ALL my malwares.

 

I fear that for the moment, there are no known ways to remove these malwares. Thousands of people over the world are experiencing the same problems.

 

Regards,

Mark

Share this post


Link to post
Share on other sites

Hi you have numerous infections that are difficult to remove but not impossible.

 

First though, please make a new folder to put your HijackThis.exe into

 

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:

http://russelltexas.com/malware/createhjtfolder.htm

This is to ensure it makes the necessary backups for recovery if needed.

Unzip/decompress the HijackThis.zip file and save the contents (HijackThis.exe) to the new folder you made and make sure you run it from there.

 

First, though - we are going to rename your HijackThis.exe

 

Find the file in the new folder you made. Rightclick on HijackThis.exe <----choose *rename* from the menu that popsup and name the file: HJT.exe. When done go ahead and close that window.

Now doubleclick on the newly renamed: HJT.exe in normal mode to produce a new log.

 

Post that log back here please.

 

.................................

Next, run this tool for the wareout infection I see on there. It has stealth capability and I would like to get rid of it first.

 

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.

You will be asked to reboot your computer; please do so.

Your system may take longer than usual to load; this is normal.

Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

...............................

 

Then I need to see a log from this tool as well

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

Share this post


Link to post
Share on other sites

Hi Calamity Jane,

 

Thanks for your support. I really hope I'll manage to get rid of these nuisances. It is already 1 week that I am infected...

 

I've done all what you asked.

 

Here is the HijackThis log :

 

Logfile of HijackThis v1.99.1

Scan saved at 19:28:34, on 22/09/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Xi\NetXfer\NetTransport.exe

C:\Program Files\UEdit32\uedit32.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\eMule\emule.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\java.exe

C:\hijack\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-internet.fr/welcome/?varcl...;version=501596

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll

O2 - BHO: (no name) - {2ACC0345-A4AD-4A21-AAB4-C24EE9D3AAF7} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll

O2 - BHO: (no name) - {887C1B4A-3F08-4BE5-ABA2-9633BF159948} - \

O2 - BHO: (no name) - {92813339-7DD9-4B6E-81AE-B1FFC8F819C1} - C:\WINDOWS\system32\mljjh.dll

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html

O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\eyentlog.dll (file missing)

O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\djkquota.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

 

Next, here is the fixwareout log :

 

 

Fixwareout ver 1.003

Last edited 8/11/2006

Post this report in the forums please

 

Reg Entries that were deleted

...

 

Microsoft ® Windows Script Host Version 5.6

Random Runs removed from HKLM

...

 

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

 

»»»»» Searching by size/names...

 

»»»»»

Search five digit cs, dm and jb files.

This WILL/CAN also list Legit Files, Submit them at Virustotal

 

Other suspects.

Directory of C:\WINDOWS\system32

 

»»»»» Misc files.

 

»»»»» Checking for older varients covered by the Rem3 tool.

 

And finally, here is the combofix log :

 

KGD - 06-09-22 19:58:13,84 Service Pack 2

ComboFix 06.09.23 - Running from: "C:\hijack"

Command switches used ::

 

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

 

REGISTRY ENTRIES REMOVED:

 

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}]

@=""

"IDEx"="ADDR"

 

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}\InprocServer32]

@="C:\\WINDOWS\\system32\\djkquota.dll"

"ThreadingModel"="Apartment"

 

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}]

@=""

"IDEx"="ADDR"

 

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}\InprocServer32]

@="C:\\WINDOWS\\system32\\eyentlog.dll"

"ThreadingModel"="Apartment"

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

Granting sedebugprivilege to Administrateurs ... successful

 

 

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Documents and Settings\KGD\Local Settings\Temp\Utilities\Bin\x86\dxcc.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\ismini.exe

C:\WINDOWS\system32\issearch.exe

C:\WINDOWS\system32\components

C:\Program Files\Fichiers communs\{E496EB0F-0C78-1036-0331-060506220021}

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))

 

 

2006-09-22 19:54 61,440 --a------ C:\WINDOWS\system32\stdagent.dll

2006-09-22 19:54 51,712 --a------ C:\WINDOWS\system32\albus.dll

2006-09-22 19:54 49,152 --a------ C:\WINDOWS\system32\stdvote.dll

2006-09-22 19:54 32,768 --a------ C:\WINDOWS\system32\stdplay.dll

2006-09-22 19:54 16,384 --a------ C:\WINDOWS\system32\alsmt.exe

2006-09-22 19:54 114,688 --a------ C:\WINDOWS\system32\stdup.exe

2006-09-21 08:13 10,402,992 --a------ C:\ssfsetup4129.exe

2006-09-21 08:12 45,568 --a------ C:\ATF-Cleaner.exe

2006-09-21 08:12 166,064 --a------ C:\VundoFix.exe

2006-09-20 23:45 761,715 ---hs---- C:\WINDOWS\system32\hjjlm.bak2

2006-09-19 23:45 86,068 --a------ C:\WINDOWS\system32\dmadsxgp.dll

2006-09-19 23:45 743,255 ---hs---- C:\WINDOWS\system32\hjjlm.bak1

2006-09-19 23:45 577,588 ---hs---- C:\WINDOWS\system32\mljjh.dll

2006-09-19 23:40 94,208 --a------ C:\WINDOWS\system32\uhvjsul.dll

2006-09-19 23:40 72,704 --a------ C:\WINDOWS\system32\unaoakg.dll

2006-09-19 23:40 40,973 ---hs---- C:\WINDOWS\system32\khfccaw.dll

2006-09-19 23:08 131,072 --a------ C:\WINDOWS\system32\datestamp.dll

2006-09-09 00:30 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll

2006-09-09 00:30 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll

2006-09-09 00:30 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll

2006-09-09 00:30 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll

2006-09-09 00:30 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll

2006-09-09 00:30 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll

2006-09-09 00:30 76,288 --a------ C:\WINDOWS\system32\uniime.dll

2006-09-09 00:30 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll

2006-09-09 00:30 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll

2006-09-09 00:30 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll

2006-09-09 00:30 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll

2006-09-09 00:30 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll

2006-09-09 00:30 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll

2006-09-09 00:30 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd106.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll

2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101.dll

2006-09-09 00:30 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

2006-09-09 00:30 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll

2006-09-09 00:30 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll

2006-08-31 00:44 15,360 --a------ C:\WINDOWS\system32\BASSMOD.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-09-22 19:58 -------- d-------- C:\Program Files\Fichiers communs

2006-09-22 19:54 28672 --a------ C:\WINDOWS\system32\drivers\Albus.SYS

2006-09-22 16:47 -------- d-------- C:\Program Files\eMule

2006-09-20 23:04 -------- d-------- C:\Program Files\Fichiers communs\aolshare

2006-09-20 22:56 -------- d-------- C:\Program Files\UEdit32

2006-09-20 20:14 -------- d-------- C:\Program Files\Lavasoft

2006-09-20 20:14 -------- d-------- C:\Documents and Settings\KGD\Application Data\Lavasoft

2006-09-19 23:58 -------- d--h----- C:\Program Files\InstallShield Installation Information

2006-09-19 23:58 -------- d-------- C:\Program Files\FBM Software

2006-09-19 23:52 -------- d-------- C:\Program Files\Dell

2006-09-15 20:37 -------- d-------- C:\Program Files\PrintView

2006-09-14 23:12 -------- d-------- C:\Program Files\MetaTrader 4

2006-09-11 23:34 -------- d---s---- C:\Documents and Settings\KGD\Application Data\Microsoft

2006-09-11 23:24 -------- d-------- C:\Program Files\Microsoft Office

2006-09-11 23:24 -------- d-------- C:\Program Files\Microsoft ActiveSync

2006-09-11 23:24 -------- d-------- C:\Program Files\Fichiers communs\Microsoft Shared

2006-09-11 23:24 -------- d-------- C:\Program Files\Fichiers communs\Designer

2006-09-08 00:02 -------- d-------- C:\Program Files\DivX

2006-09-06 21:45 -------- d-------- C:\Documents and Settings\KGD\Application Data\Apple Computer

2006-09-06 21:42 -------- d-------- C:\Program Files\QuickTime

2006-09-05 08:20 -------- d-------- C:\Documents and Settings\KGD\Application Data\Real

2006-09-05 08:16 -------- d-------- C:\Program Files\Fichiers communs\xing shared

2006-09-05 08:16 -------- d-------- C:\Program Files\Fichiers communs\Real

2006-09-04 22:32 -------- d-------- C:\Program Files\Fichiers communs\Adobe

2006-09-04 22:32 -------- d-------- C:\Documents and Settings\KGD\Application Data\Adobe

2006-09-03 17:37 -------- d-------- C:\Program Files\Microsoft DirectX SDK (June 2006)

2006-09-01 22:29 -------- d-------- C:\Program Files\Dl_cats

2006-08-23 00:18 -------- d-------- C:\Documents and Settings\KGD\Application Data\ACD Systems

2006-08-22 14:28 -------- d-------- C:\Program Files\Fichiers communs\ACD Systems

2006-08-22 14:27 -------- d-------- C:\Program Files\ACD Systems

2006-08-21 16:04 -------- d-------- C:\Program Files\Club-Internet

2006-08-21 15:05 56 -r-hs---- C:\WINDOWS\system32\B9836B8D7A.sys

2006-08-21 15:05 4182 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2006-08-21 14:45 -------- d-------- C:\Program Files\Fichiers communs\kzro

2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll

2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe

2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys

2006-08-20 14:01 -------- d-------- C:\Program Files\Windows Media Player

2006-08-19 16:03 -------- d-------- C:\Program Files\Fichiers communs\aliaswavefront shared

2006-08-19 16:03 -------- d-------- C:\Program Files\Fichiers communs\Alias Shared

2006-08-19 14:52 -------- d-------- C:\Program Files\MSN

2006-08-19 14:36 -------- d-------- C:\Program Files\Winamp

2006-08-19 14:26 -------- d-------- C:\Documents and Settings\KGD\Application Data\IDMComp

2006-08-17 16:38 -------- d-------- C:\Program Files\JpegWizard2

2006-08-17 16:32 -------- d-------- C:\Program Files\Xi

2006-08-17 15:20 -------- d-------- C:\Program Files\MSN Messenger

2006-08-17 15:07 -------- d-------- C:\Program Files\Java

2006-08-17 15:06 -------- d-------- C:\Program Files\netbeans-5.0

2006-08-17 15:04 -------- d-------- C:\Program Files\Fichiers communs\InstallShield

2006-08-17 15:00 -------- d-------- C:\Program Files\WinZip

2006-08-17 15:00 -------- d-------- C:\Program Files\WinRAR

2006-08-16 17:30 -------- d-------- C:\Program Files\Internet Explorer

2006-08-16 17:27 -------- d-------- C:\Program Files\Outlook Express

2006-08-16 17:27 -------- d-------- C:\Program Files\Fichiers communs\System

2006-08-16 16:43 -------- d-------- C:\Program Files\Security Task Manager

2006-08-11 19:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe

2006-08-11 19:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2006-08-11 19:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll

2006-08-11 19:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll

2006-08-11 19:31 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2006-08-11 19:31 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll

2006-08-11 19:31 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll

2006-08-11 19:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll

2006-08-11 19:31 620180 --a------ C:\WINDOWS\system32\DivX.dll

2006-08-11 19:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll

2006-08-11 19:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll

2006-08-11 19:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll

2006-08-11 19:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll

2006-08-11 19:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll

2006-08-11 19:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll

2006-08-11 19:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll

2006-08-11 19:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

2006-08-11 19:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

2006-08-11 19:27 -------- d-------- C:\Documents and Settings\KGD\Application Data\Macromedia

2006-08-11 19:10 -------- d-------- C:\Program Files\Fichiers communs\Motive

2006-08-11 19:09 -------- d-------- C:\Program Files\Motive

2006-08-11 19:09 -------- d-------- C:\Program Files\Common Files

2006-08-11 19:06 -------- d-------- C:\Program Files\BroadJump

2006-08-11 13:45 15890 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys

2006-08-11 13:44 -------- d-------- C:\Program Files\TRENDware

2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll

2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2006-07-27 04:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe

2006-07-27 04:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe

2006-07-21 10:27 72704 --a------ C:\WINDOWS\system32\hlink.dll

2006-06-22 07:13 69120 --a------ C:\WINDOWS\system32\ciodm.dll

2006-06-22 07:13 1440768 --a------ C:\WINDOWS\system32\query.dll

2006-06-07 19:55 3753 --a------ C:\Program Files\html2.htm

2006-06-07 19:55 3626 --a------ C:\Program Files\html1.htm

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"

"SetDefaultMIDI"="MIDIDef.exe"

"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"

"dlccmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 924\\dlccmon.exe\""

"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"

"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""

"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"

"SigmatelSysTrayApp"="stsystra.exe"

"MBMon"="Rundll32 CTMBHA.DLL,MBMon"

"DLCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,[email protected]"

"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

"alsmt.exe"="C:\\WINDOWS\\system32\\alsmt.exe"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Ma page d'accueil"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoCDBurning"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

"kzro"="C:\\PROGRA~1\\FICHIE~1\\kzro\\kzrom.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^AOL 9.0 Icône AOL.lnk]

"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\AOL 9.0 Icône AOL.lnk"

"backup"="C:\\WINDOWS\\pss\\AOL 9.0 Icône AOL.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\AOL9~1.0\\aoltray.exe -check"

"item"="AOL 9.0 Icône AOL"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^KGD^Menu Démarrer^Programmes^Démarrage^Club Internet.lnk]

"path"="C:\\Documents and Settings\\KGD\\Menu Démarrer\\Programmes\\Démarrage\\Club Internet.lnk"

"backup"="C:\\WINDOWS\\pss\\Club Internet.lnkStartup"

"location"="Startup"

"command"="C:\\PROGRA~1\\CLUB-I~1\\Lanceur\\lanceur.exe "

"item"="Club Internet"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="v1201"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\v1201.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BJCFD]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="CFD"

"hkey"="HKLM"

"command"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Corel Photo Downloader]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MediaDetect"

"hkey"="HKLM"

"command"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ctfmon"

"hkey"="HKCU"

"command"="C:\\WINDOWS\\system32\\ctfmon.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DLA]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DLACTRLW"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="isuspm"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Fichiers communs\\InstallShield\\UpdateService\\isuspm.exe\" -startup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="issch"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Fichiers communs\\InstallShield\\UpdateService\\issch.exe\" -start"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -k"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -k"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\kzro]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="kzrom"

"hkey"="HKCU"

"command"="C:\\PROGRA~1\\FICHIE~1\\kzro\\kzrom.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCAgentExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="McAgent"

"hkey"="HKLM"

"command"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\McRegWiz]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mcregwiz"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCUpdateExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="McUpdate"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MPFExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MpfTray"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSKAGENTEXE]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MskAgent"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSKDetectorExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MSKDetct"

"hkey"="HKLM"

"command"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msnmsgr"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OASClnt]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="oasclnt"

"hkey"="HKLM"

"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PVModule]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="pvmodule"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\StandardInstall]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\uhvjsul.dll]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="uhvjsul"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="UpdReg"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\UpdReg.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VirusScan Online]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mcvsshld"

"hkey"="HKLM"

"command"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VoiceCenter]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AndreaVC"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe\" /tray"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VSOCheckTask]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mcmnhdlr"

"hkey"="HKLM"

"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winampa"

"hkey"="HKLM"

"command"="C:\\Program Files\\Winamp\\winampa.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinAntiVirusPro2006]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WinAV"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\WinAntiVirus Pro 2006\\WinAV.exe\" /min"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xgs51850]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="RUNDLL32"

"hkey"="HKLM"

"command"="RUNDLL32.EXE wa94a40c.dll,n 0035184d0000000aa94a40c"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]

"MskService"=dword:00000002

"MpfService"=dword:00000002

"mcupdmgr.exe"=dword:00000003

"McTskshd.exe"=dword:00000002

"McShield"=dword:00000002

"McDetect.exe"=dword:00000002

"BITS"=dword:00000002

"dlcc_device"=dword:00000003

"AOL ACS"=dword:00000002

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjh

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Rappel d'abonnement 1 auprŠs de l'ISP.job

 

Completion time: 22/09/2006 20:01:11.03

ComboFix.txt

 

This very last log seems to be more interesting than the 2 previous ones, it has detected all the malwares (WinAntiVirusPro2006 is also one of these).

 

Have a nice week-end,

Mark

Share this post


Link to post
Share on other sites

Thanks, Mark! Give me a little bit to chew through these and write up some next cleanup steps.

 

I'm sure we can get you squared away, :)

 

It just may take a number of steps (you sure had some doozies!) :)

Share this post


Link to post
Share on other sites

Apologies for the late reply here, I had a computer crash and lost ALL my notes - so this is the 2nd effort. {sigh}

 

I need to get some copies of files from you so I can submit for detection please.

 

Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from Mark53 at LS ),

fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

 

Note: If a file is not found, go on to the next one please. It will likely take more than one post to get all of these in (I think there is a limit of 10 files per post)

 

Files to attach for upload:

 

C:\WINDOWS\system32\stdagent.dll

C:\WINDOWS\system32\albus.dll

C:\WINDOWS\system32\stdvote.dll

C:\WINDOWS\system32\stdplay.dll

C:\WINDOWS\system32\alsmt.exe

C:\WINDOWS\system32\stdup.exe

C:\WINDOWS\system32\dmadsxgp.dll

C:\WINDOWS\system32\uhvjsul.dll

C:\WINDOWS\system32\unaoakg.dll

C:\WINDOWS\system32\khfccaw.dll

C:\WINDOWS\system32\datestamp.dll

C:\WINDOWS\system32\mljjh.dll

C:\\WINDOWS\\system32\\alsmt.exe

C:\\WINDOWS\\v1201.exe

wa94a40c.dll (You'll need to search on this file to find it's location)

C:\WINDOWS\system32\drivers\Albus.SYS

C:\PROGRAM FILES\PRINTVIEW <---all files in that folder

C:\\PROGRA~1\\FICHIE~1\\kzro <---all files in that folder

 

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to register to start a topic or upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I'll be able to collect them from there. Thanks!

................

Once you have done that task, please return here and follow these steps next:

 

1, Go to your Control Panel and look in Add/Remove programs. If any of the following is found,highlight it and press *remove*

 

WinAntiVirus Pro

 

PrintView

 

Next, Open HijackThis and do a *system scan only*

When it finishes, checkmark these entries, then press the *fix checked* button:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

 

O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll

 

O2 - BHO: (no name) - {2ACC0345-A4AD-4A21-AAB4-C24EE9D3AAF7} - (no file)

 

O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll

 

O2 - BHO: (no name) - {887C1B4A-3F08-4BE5-ABA2-9633BF159948} - \

 

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

 

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

 

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\eyentlog.dll (file missing)

 

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\djkquota.dll (file missing)

 

O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

 

O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

 

Delete these files and/or folders:

 

C:\Program Files\WinAntiVirus Pro 2006

 

C:\PROGRAM FILES\PRINTVIEW

..............................

Please download

VundoFix.exe

to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt and a new
    HiJackThis log.

........................

We also need to get a log from this free tool

 

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

#

Open the SmitfraudFix folder

 

Double-click smitfraudfix.cmd

 

Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Post the results back here please.

Share this post


Link to post
Share on other sites

Hi Calamity,

 

Once again, you apologize for the delay while I think you reply very fast and I thank you for your reactivity.

 

Anyway, I have posted the files you asked (some have already been deleted by anti-spywares or fixes). Tell me if you got them. I had a timeout error while I was uploading the ZIP file.

 

I couldn't find WinAntivirus Pro nor Printview in the installed programs, though I still have WinAntivirus pop-ups.

 

In C:\Program Files\PrintView, it was impossible to remove printhook030.dll. I just hope they weren't necessary files for printing.

 

I've run VundoFix (and it's not the first time). It once again found and removed the Trojan.Vundo from my computer. Here is its log :

 

Symantec Trojan.Vundo Removal Tool 1.5.0

The process "IEXPLORE.EXE" might be affected by the threat. It has been suspended.

The process "IEXPLORE.EXE" might be affected by the threat. It has been terminated.

 

C:\System Volume Information: (not scanned)

D:\System Volume Information: (not scanned)

 

Trojan.Vundo has been successfully removed from your computer!

 

Here is the report:

 

The total number of the scanned files: 155678

The number of deleted files: 0

The number of viral processes terminated: 1

The number of viral processes suspended: 1

The number of viral threads terminated: 0

The number of registry entries fixed: 0

 

And finally, here is the log generated by SmitfraudFix :

 

SmitFraudFix v2.96

 

Rapport fait à 12:15:58,22, 23/09/2006

Executé à partir de C:\SmitfraudFix

OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT

Fix executé en mode normal

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

C:\WINDOWS\keyboard1.dat PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\ot.ico PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\KGD\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KGD\Favoris

 

C:\DOCUME~1\KGD\Favoris\Antivirus Test Online.url PRESENT !

 

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Ma page d'accueil"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Fin

 

Thanks again for your help,

Mark

Share this post


Link to post
Share on other sites

Hi Mark,

 

I'm just now coming in for the morning and first cup of coffee in hand, so not quite awake yet, but I'm heading over to look at the files you uploaded and will report back here once I have a chance to examine them.

 

One thing jumps out at me and this is that you are using the Symantec Vundo removal tool.

 

The link I posted is for VundoFix by Atribune who is a volunteer researcher that monitors this infection daily to update the tool, which is much more up to date on removing Vundo.

Could you go back up and use the tool in my instruction for VundoFix and post a report from it please?

.................

Next, we need to do step 2 of SmitfraudFix based upon the results of your report.

 

NOTE: This fix step of this tool needs to be run in SAFE MODE! (So make a copy ofthese instructions to have handy)

 

1. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

2. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

3. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

 

VundFix log from Atribune's tool (not Symantec)

Share this post


Link to post
Share on other sites

Regarding your question about PrintView

 

In C:\Program Files\PrintView, it was impossible to remove printhook030.dll. I just hope they weren't necessary files for printing.

 

This is a fairly newly discovered adware program - not anything to do with your print function really, and usually found installed without the user's knowledge, so it may have come in a bundle with something else.

 

Here is Researcher Tony Klein's writeup on it:

http://www.castlecops.com/tk30506-PrintViewBHO_Class.html

GUID {D4E0C464-30CE-4075-9A10-71FD106C2847}

Filename printhook030.dll, PRINTH~1.DLL

Object Name PrintViewBHO Class

Status X BHO

Description Adperform.com/adoptim.com adware, file located in a Program Files\PrintView folder. The accompanying executable (pvmodule.exe) is detected by AntiVir antivirus as TR/Dldr.Agent.alb. NOTE: the 'real' PrintView installs in a C:\CBR folder instead.

 

And the scan results on pvmodule.exe you uploaded:

Complete scanning result of "pvmodule.exe", received in VirusTotal at 09.23.2006, 14:42:53 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.18 09.22.2006 TR/Dldr.Agent.alb

Authentium 4.93.8 09.23.2006 no virus found

Avast 4.7.844.0 09.22.2006 no virus found

AVG 386 09.22.2006 no virus found

BitDefender 7.2 09.23.2006 no virus found

CAT-QuickHeal 8.00 09.22.2006 TrojanDropper.Agent.alb

ClamAV devel-20060426 09.23.2006 no virus found

eTrust-InoculateIT 23.73.3 09.23.2006 no virus found

eTrust-Vet 30.3.3093 09.22.2006 no virus found

DrWeb 4.33 09.22.2006 no virus found

Ewido 4.0 09.23.2006 no virus found

Fortinet 2.82.0.0 09.23.2006 suspicious

F-Prot 3.16f 09.22.2006 no virus found

F-Prot4 4.2.1.29 09.23.2006 no virus found

Ikarus 0.2.65.0 09.23.2006 no virus found

Kaspersky 4.0.2.24 09.23.2006 no virus found

McAfee 4858 09.22.2006 no virus found

Microsoft 1.1560 09.23.2006 no virus found

NOD32v2 1.1768 09.22.2006 no virus found

Norman 5.80.02 09.22.2006 no virus found

Panda 9.0.0.4 09.23.2006 no virus found

Sophos 4.09.0 09.23.2006 no virus found

Symantec 8.0 09.23.2006 no virus found

TheHacker 6.0.1.077 09.22.2006 no virus found

UNA 1.83 09.22.2006 no virus found

VBA32 3.11.1 09.23.2006 no virus found

VirusBuster 4.3.7:9 09.23.2006 no virus found

 

Aditional Information

File size: 50688 bytes

MD5: 1599c68387c28ea6d32a65941930d12c

SHA1: 51030b1f01bd509c86483cec4d814aecdfd7a21a

 

 

I'm still going through these files you sent. Am waiting for the results of your VundoFix and SmitfraudFix runs with logs requested above

Share this post


Link to post
Share on other sites

Hi Calamity,

 

Well then, you're pretty dedicated in your job. ;-)

 

Here is the VundoFix log :

 

VundoFix V6.1.6

 

Checking Java version...

 

Java version is 1.4.2.3

 

Java version is 1.5.0.8

 

Scan started at 19:01:37 23/09/2006

 

Listing files found while scanning....

 

C:\WINDOWS\system32\mljjh.dll

C:\WINDOWS\system32\hjjlm.ini

C:\WINDOWS\system32\hjjlm.bak1

C:\WINDOWS\system32\hjjlm.bak2

 

I managed to remove Vundo after a reboot.

 

Then I ran smitfraudfix, and here is the log :

 

 

Fixwareout ver 1.003

Last edited 8/11/2006

Post this report in the forums please

 

Reg Entries that were deleted

...

 

Microsoft ® Windows Script Host Version 5.6

Random Runs removed from HKLM

...

 

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

 

»»»»» Searching by size/names...

 

»»»»»

Search five digit cs, dm and jb files.

This WILL/CAN also list Legit Files, Submit them at Virustotal

 

Other suspects.

Directory of C:\WINDOWS\system32

 

»»»»» Misc files.

 

»»»»» Checking for older varients covered by the Rem3 tool.

 

I ran it several times, that's why the infected dll's don't appear there.

 

And here is the hijackthis log :

 

Logfile of HijackThis v1.99.1

Scan saved at 19:33:09, on 23/09/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\Rundll32.exe

C:\DOCUME~1\KGD\LOCALS~1\Temp\clclean.0001

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\hijack\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-internet.fr/welcome/?varcl...;version=501596

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3D00FA78-F963-4CF4-87CE-43962B205AA7} - C:\WINDOWS\system32\mljjh.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html

O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Standard Br Service (stdsverex) - Unknown owner - C:\WINDOWS\system32\stdup.exe (file missing)

 

Thanks again,

Mark

Share this post


Link to post
Share on other sites

Make a copy of these instructions to have handy as this next step needs to be done with IE and any other browsers closed (so you won't be able to view this window)

 

Now close all browsers and any open windows, having only HijackThis open.

 

Open HijackThis and do a *system scan only*

When it finishes, place a checkmark next to these entries in the list:

 

O2 - BHO: (no name) - {3D00FA78-F963-4CF4-87CE-43962B205AA7} - C:\WINDOWS\system32\mljjh.dll (file missing)

 

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

 

O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

 

O23 - Service: Standard Br Service (stdsverex) - Unknown owner - C:\WINDOWS\system32\stdup.exe (file missing)

 

Reboot your computer

 

After the reboot, scan once more and post a fresh HijackThis log please.

 

Then press the *fix checked* button.

Share this post


Link to post
Share on other sites

Hi Calamity,

 

Beware of your recommendations, deleting the keys :

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

 

removed my DNS server configuration. I had to setup it again.

 

Anyway, just placing a checkmark in front of lines doesn't seem to make anything if you don't click on "fix checked". It's what I did, and it deleted it all. After the next reboot, only stdup.exe was still here. In fact, it's because it's a service. I deactivated it in "services.msc" (I don't know how to permanently delete them).

 

Here is the final log :

 

Logfile of HijackThis v1.99.1

Scan saved at 06:45:43, on 24/09/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\DOCUME~1\KGD\LOCALS~1\Temp\clclean.0001

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\eMule\emule.exe

C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE

C:\Program Files\Club-Internet\Dr Club Internet\bin\mad.exe

C:\Program Files\Club-Internet\Dr Club Internet\bin\mpbtn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijack\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-internet.fr/welcome/?varcl...;version=501596

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html

O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

 

Things seem to be better now. All you have to do is include all these malware removal steps in the next version of Ad-aware. ;-)

 

Regards,

Mark

Share this post


Link to post
Share on other sites
Hi Calamity,

 

Beware of your recommendations, deleting the keys :

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

 

removed my DNS server configuration. I had to setup it again.

 

Now THAT is surprising :) . IP lookup shows that as Inhoster in the Ukraine, which often hosts websites of dubious repute (which was what made me think you had the Wareout pest). This was the lookup results on that IP

 

WHOIS results for 85.255.116.98

Generated by www.DNSstuff.com

 

% Information related to '85.255.112.0 - 85.255.127.255'

inetnum: 85.255.112.0 - 85.255.127.255

netname: inhoster

descr: Inhoster hosting company

descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

 

See this article by Suzi Turner of SpywareWarrior (also writes a Spyware Blog at ZDnet):

ISPs hosting spyware - who are they?

http://blogs.zdnet.com/Spyware/?p=763

.................

And I'm glad you figured out to use the *fix checked*. A bad copy & paste on my part, that line ended up out order at the end of my post instead of after the list of entries.

 

After the next reboot, only stdup.exe was still here. In fact, it's because it's a service. I deactivated it in "services.msc" (I don't know how to permanently delete them).

HijackThis has a section under *Misc. Tools Section* to delete a service.

 

Use the *Delete a NT Service button* to delete this one:

 

Standard Br Service

or (stdsverex)

 

That service was part of the Boran adware you had, all of which was fairly new and the reason I asked you to upload some files for me. In addition to examining them to determine what they were, I was also able to submit those files to the Research Team to add for detection in Ad-Aware. :)

 

Your final HijackThis log looks good - no nasties showing. Is everything running OK now on your computer?

Share this post


Link to post
Share on other sites

Well, you're right, I'm surprised to see that the DNS servers I'm using are Ukrainian. But let me tell you I've never had problem with them, I've been using them for years. They're better than my current ISP official DNS servers that don't resolve all websites.

 

Thanks for the info about services deletion with Hijackthis. Though, I'd be glad to know how to do this using Windows. ;-)

 

I'm glad to know that my problem has allowed you to work on a new malware. Is it possible to integrate all the removal steps I've been thru in Ad-Aware ? It would be great to be able to remove all these malwares in one click. But we're always obliged to look for standalone removal tools, or to remove things by hand.

 

Anyway, everything is going fine now on my comp except one little thing that remains : the WinAntiVirus Pro 2006 icon still appears in the control panel and I don't know how to get rid of it.

 

Thanks,

Mark

Share this post


Link to post
Share on other sites

In Windows XP, you can use sc.exe to delete a service (among other things as described here)

How to Create a Windows Service Using Sc.exe

http://support.microsoft.com/?kbid=251192

 

Could you please post the results of the SmitfraudFix tool that you ran. It should be located on your hard-drive named as Rapport.txt

 

And, if I could get a report from this tool please:

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

Share this post


Link to post
Share on other sites

Hi Mark53,

 

(Sorry to interrupt, Janie)

Here is the VundoFix log :

 

VundoFix V6.1.6

 

Checking Java version...

 

Java version is 1.4.2.3

 

Java version is 1.5.0.8

 

Scan started at 19:01:37 23/09/2006

Not a biggie, but it is safest to remove all out-dated versions of Java, as they can be a security threat :D

 

(As usual, use add/remove programs)

 

Regards,

 

Spike

Share this post


Link to post
Share on other sites

Hi all,

 

Sorry to interrupt. A friend of mine has her computer infected. I found the "Standard Br Service" and some other stuff. Since Mark also listed it, I think this is a good place to start the discussion.

 

The symptoms are as follows:

. The IE shortcuts on the desktop and in the quick launch bar both set to "http://www.123wa.com"

. A number of extra toolbars appear in IE

. A number of extra right-click context menu items appear in IE

 

Underlying, I found these:

. Suspicious services:

Standard Br Service (stdsverex)

Standard Update Net Service

VisionService

. Suspicious files:

C:\Program Files\Vision\

C:\windows\system32\std.ini

C:\windows\system32\stdd.ini

C:\windows\system32\stdup.exe

And a whole bunch of "std" something

. Suspicious startup items identified by HijackThis:

02-BHO: Vision - ... C:\Program Files\Vision\vision.dll

08-Extra context menu item: ... C:\Program Files\Vision\vision.dll/mms.htm

09-Extra 'Tools' menuitem: ... C:\Program Files\Vision\vision.dll

023-Service: Standard Br Service (stdsverex) C:\windows\system32\stdup.exe

 

What I have tried:

. Disabling the extra toolbars in IE - succeeded

. Removing the IE shortcuts and recreated the correct ones - succeeded

. Removing stdup.exe - initially failed, succeeded after rebooting in safe mode

. Disabling VisionService - succeeded

. Deleting VisionService using sc.exe - succeeded

*. Disabling Standard Br Service - failed. The service was set to automatic, and I found no way to make it manual or disabled. Failed even in safe mode

*. Deleting Standard Br Service using sc.exe - failed. Failed even in safe mode

*. Removing the registry entries of Standard Br Service and VisionService - failed. When I tried to delete the whole subfolder of either of them, regedit stopped responding. The CPU usage was 100%, but it just could not finish the deletion. Failed even in safe mode

*. Removing the startup items - 08 and 09 succeeded, 02 and 023 failed. HijackThis did not report anything, but after clicking fix and rescanning they were still there. Failed even in safe mode

*. Removing the directory C:\Program Files\Vision - failed. The directory was indeed removed, but then it was immediately recreated. Even worse, it also triggered the recreation of VisionService

 

When I used AdAware to scan, it found the same things, but was unable to delete some of the files. I accepted the option to let AdAware to delete the files after the next reboot, but it still could not delete the files after rebooting.

 

I tried to identify the hidden processes/services that recreated VisionService, but was unable to find them out.

 

Each time after rebooting, if VisionService was recreated by the hidden monitoring process before the reboot, the IE shortcuts and context menus reappear.

 

I have spent quite some time searching the web for a solution. I think up to this moment all the suggestions are contained in the above list. I guess the malware has been strengthened since the post of such suggestions.

 

Please help.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0