Jump to content


Photo

Unable to remove spywares Boran.g et Smitfraud-C


  • Please log in to reply
19 replies to this topic

#1 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 20 September 2006 - 09:03 PM

Hi,

I'd like to draw your attention on these 2 spywares that can't be removed with Ad-aware (nor with other anti-spywares I tried). There are already hundreds of messages posted around the Net about how to remove these malwares, I guess I don't have to describe the problem once again.

The problem is simple : these malwares are loaded into memory and can't be removed just by deleting registry key values or files on hard disk.

I guess you really have to work on these, that's a real nuisance.

Without any efficient spywares available on the market, I'm obliged to spend hours trying solutions to remove the files on reboot and so on.

Thanks,
Mark

#2 spike-nz

spike-nz

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 3092 posts

Posted 21 September 2006 - 05:54 AM

Hi Mark53,

In order for the malware experts to assist you, please post scan-logs as set out in my post here: trojandownloader.Zlob, Malware that can be deleted but returns immediately

IMPORTANT - Before Posting a HijackThis Log
Instructions on creating a HijackThis Log

For the Ad-Aware log, Please make sure that you are using
Ad-aware SE Build 106r1
Note: If your version is 6.0 and not the SE, you need to uninstall the older version first and get the latest version from the above link, then install SE.
Then use the WebUpDate to get the latest Definition file SE1R124 19.09.2006
To do this Open Ad-aware - Click the WebUpDate
button at the top right hand side of the Ad-aware screen (The world globe).
Click "Connect"
Ad-aware will then download the latest Definition file for you.
To make sure it is updated , look at the main
Ad-aware screen, and look under "Initialization Status"
It should say the Latest Definition file.
then scan doing a "Full Scan"
and then post your logfile here by using the Add-Reply Feature.AddReplyButton.gif
By default, Logs are stored in: C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start, click Run
And type in and press ENTER: %appdata%
then click Lavasoft, then Ad-Aware and then Logs.
Scroll down to find the latest one that you have
(by date & time)
and open it, right Click, select all, copy
and then paste the contents of it here.
(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

-Configuring Ad-Aware Full-Scan
1) Start Ad-Aware SE
2) Click on the link "Check for updates now" press the connect button and follow the prompts to ensure you are up to date.
3) Press the start button and in the Preparing System Scan window select the option "Perform full system scan", click on "Search for negligible risk entries" so that it shows a red cross i.e. is deselected and click on "Search for low-risk threats" so that is shows green tick i.e. is selected.
4) Click the next button to start the full scan, when the scan finishes click on the show logfile button. In the log window right mouse click and select "Select all..." then right mouse click again and select "Copy to clipboard" then paste in a reply to this thread.

Note my advice in the post listed at the top, concerning possible delays ;)

Regards,

Spike

#3 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 21 September 2006 - 08:37 AM

Hi spike-nz,

I have Ad-aware Personal Edition, and the latest version.

Anyway, running Ad-aware generates a blue screen of death on my Windows XP Pro, so I have to solve this problem first before I apply your solutions.

Thanks,
Mark

#4 spike-nz

spike-nz

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 3092 posts

Posted 21 September 2006 - 11:03 AM

Hi Mark53,

In the Lavasoft Support Forums > FAQ's > Ad-Aware SE > Technical section of the forum, there are these FAQ's:

Ad-Aware SE terminates or PC reboots during scan, removal process

During An Ad-aware Scan, My Computer Restarts... What Is Wrong?

During an Ad-Aware scan, I get a bluescreen and my computer restarts, what is wrong?, bluescreen, blue screen, bsod

During An Ad-aware Scan I Get A Bluescreen And My Computer Restarts... What Is Wrong?

Regards,

Spike

#5 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 21 September 2006 - 10:46 PM

Hi spike-nz,

I've run both HijackThis and Ad-Aware in safe mode.

Here is the HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 21:43:06, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\TEMP\win243.tmp.exe
C:\VundoFix.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-inte...;version=501596
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

I precise I've already run Spybot to remove (temporarily) some of the malwares (Boran.g, etc) so they don't appear here. But their processes are still running. I still have Boran.g when I run Spybot...

I'm using Ad-Aware build 1.06r1 with the SE1R124 19.09.2006 definition file. After Spybot, I ran Ad-Aware.

Here is the Ad-Aware log file :


Ad-Aware SE Build 1.06r1
Logfile Created on:jeudi 21 septembre 2006 22:55:27
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R124 19.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 Possible New Malware 0(TAC index:3):2 total references
MRU List(TAC index:0):34 total references
Tracking Cookie(TAC index:3):9 total references
Win32.Backdoor.Agent(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Reanalyze results after scanning before displaying results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


21-09-2006 22:55:27 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\KGD\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\KGD\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-2912502912-3640584721-1524951960-1005\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 168
ThreadCreationTime : 21-09-2006 19:34:10
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 220
ThreadCreationTime : 21-09-2006 19:34:22
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 244
ThreadCreationTime : 21-09-2006 19:34:25
BasePriority : High


Win32.Backdoor.Agent Object Recognized!
Type : Process
Data : winrnt32.dll
TAC Rating : 10
Category : Virus
Comment : windpy32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Backdoor.Agent Object found in memory(C:\WINDOWS\system32\winrnt32.dll)


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 288
ThreadCreationTime : 21-09-2006 19:34:29
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 300
ThreadCreationTime : 21-09-2006 19:34:29
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 460
ThreadCreationTime : 21-09-2006 19:34:32
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 504
ThreadCreationTime : 21-09-2006 19:34:32
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 21-09-2006 19:34:33
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 852
ThreadCreationTime : 21-09-2006 19:35:19
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 988
ThreadCreationTime : 21-09-2006 19:35:45
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:11 [vundofix.exe]
FilePath : C:\
ProcessID : 1188
ThreadCreationTime : 21-09-2006 19:42:35
BasePriority : Normal
FileVersion : 1.5.0
ProductVersion : 1.5.0
ProductName : Symantec Trojan.Vundo Removal Tool
CompanyName : Symantec Corporation
LegalCopyright : Copyright © 2004 Symantec Corporation
OriginalFilename : FixVundo.exe

#:12 [taskmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1520
ThreadCreationTime : 21-09-2006 20:54:00
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Gestionnaire des tâches de Windows
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : taskmgr.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@www.smartadserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:kgd@www.smartadserver.com/
Expires : 16-09-2026 00:22:42
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@tripod[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:kgd@tripod.com/
Expires : 20-09-2007 22:05:38
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@ads.addynamix[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:kgd@ads.addynamix.com/
Expires : 22-09-2006 07:42:50
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@estat[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:kgd@estat.com/
Expires : 17-09-2016 23:08:12
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@www.netster[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:kgd@www.netster.com/
Expires : 04-10-2006 23:11:50
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:kgd@bluestreak.com/
Expires : 17-09-2016 20:22:22
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:kgd@adtech.de/
Expires : 17-09-2016 23:51:12
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@clickbank[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:kgd@clickbank.net/
Expires : 19-03-2007 22:05:44
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kgd@netster[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:kgd@netster.com/
Expires : 18-01-2038 02:00:00
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 9
Objects found so far: 44



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 Possible New Malware 0 Object Recognized!
Type : File
Data : mst74.tmp
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\Documents and Settings\KGD\Local Settings\Temp\



0 Possible New Malware 0 Object Recognized!
Type : File
Data : mst8A.tmp
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\Documents and Settings\KGD\Local Settings\Temp\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 46




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46

23:24:25 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:28:57.625
Objects scanned:243744
Objects identified:11
Objects ignored:0
New critical objects:11


I've run FixVundo.exe which popped up a windows saying all files have been deleted but the pop-ups written in Italian are still appearing...

Right after Ad-Aware stopped removing the malwares, I got a blue screen of death because of winlogon.exe. This file is infected but I guess it is a necessary component for the system, so when Ad-Aware unloads it, it makes the system crash.

In a word, none of the solutions worked out. I still have ALL my malwares.

I fear that for the moment, there are no known ways to remove these malwares. Thousands of people over the world are experiencing the same problems.

Regards,
Mark

#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 22 September 2006 - 12:12 AM

Hi you have numerous infections that are difficult to remove but not impossible.

First though, please make a new folder to put your HijackThis.exe into

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas....tehjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
Unzip/decompress the HijackThis.zip file and save the contents (HijackThis.exe) to the new folder you made and make sure you run it from there.

First, though - we are going to rename your HijackThis.exe

Find the file in the new folder you made. Rightclick on HijackThis.exe <----choose *rename* from the menu that popsup and name the file: HJT.exe. When done go ahead and close that window.
Now doubleclick on the newly renamed: HJT.exe in normal mode to produce a new log.

Post that log back here please.

.................................
Next, run this tool for the wareout infection I see on there. It has stealth capability and I would like to get rid of it first.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc....Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
...............................

Then I need to see a log from this tool as well

1. Download this file - combofix.exe
http://download.blee...Bs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)


Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#7 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 22 September 2006 - 07:20 PM

Hi Calamity Jane,

Thanks for your support. I really hope I'll manage to get rid of these nuisances. It is already 1 week that I am infected...

I've done all what you asked.

Here is the HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 19:28:34, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Xi\NetXfer\NetTransport.exe
C:\Program Files\UEdit32\uedit32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\java.exe
C:\hijack\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.fr/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-inte...;version=501596
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll
O2 - BHO: (no name) - {2ACC0345-A4AD-4A21-AAB4-C24EE9D3AAF7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {887C1B4A-3F08-4BE5-ABA2-9633BF159948} - \
O2 - BHO: (no name) - {92813339-7DD9-4B6E-81AE-B1FFC8F819C1} - C:\WINDOWS\system32\mljjh.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\eyentlog.dll (file missing)
O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\djkquota.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Next, here is the fixwareout log :


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

And finally, here is the combofix log :

KGD - 06-09-22 19:58:13,84 Service Pack 2
ComboFix 06.09.23 - Running from: "C:\hijack"
Command switches used ::

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C5E8E793-3815-40FD-9FB5-F0D83FA659E8}\InprocServer32]
@="C:\\WINDOWS\\system32\\djkquota.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD66E643-6FF3-4B8D-8588-F341C7054BCC}\InprocServer32]
@="C:\\WINDOWS\\system32\\eyentlog.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrateurs ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\KGD\Local Settings\Temp\Utilities\Bin\x86\dxcc.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\components
C:\Program Files\Fichiers communs\{E496EB0F-0C78-1036-0331-060506220021}


((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))


2006-09-22 19:54 61,440 --a------ C:\WINDOWS\system32\stdagent.dll
2006-09-22 19:54 51,712 --a------ C:\WINDOWS\system32\albus.dll
2006-09-22 19:54 49,152 --a------ C:\WINDOWS\system32\stdvote.dll
2006-09-22 19:54 32,768 --a------ C:\WINDOWS\system32\stdplay.dll
2006-09-22 19:54 16,384 --a------ C:\WINDOWS\system32\alsmt.exe
2006-09-22 19:54 114,688 --a------ C:\WINDOWS\system32\stdup.exe
2006-09-21 08:13 10,402,992 --a------ C:\ssfsetup4129.exe
2006-09-21 08:12 45,568 --a------ C:\ATF-Cleaner.exe
2006-09-21 08:12 166,064 --a------ C:\VundoFix.exe
2006-09-20 23:45 761,715 ---hs---- C:\WINDOWS\system32\hjjlm.bak2
2006-09-19 23:45 86,068 --a------ C:\WINDOWS\system32\dmadsxgp.dll
2006-09-19 23:45 743,255 ---hs---- C:\WINDOWS\system32\hjjlm.bak1
2006-09-19 23:45 577,588 ---hs---- C:\WINDOWS\system32\mljjh.dll
2006-09-19 23:40 94,208 --a------ C:\WINDOWS\system32\uhvjsul.dll
2006-09-19 23:40 72,704 --a------ C:\WINDOWS\system32\unaoakg.dll
2006-09-19 23:40 40,973 ---hs---- C:\WINDOWS\system32\khfccaw.dll
2006-09-19 23:08 131,072 --a------ C:\WINDOWS\system32\datestamp.dll
2006-09-09 00:30 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-09-09 00:30 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-09-09 00:30 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-09-09 00:30 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-09-09 00:30 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-09 00:30 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-09 00:30 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-09-09 00:30 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-09-09 00:30 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-09-09 00:30 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-09-09 00:30 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-09-09 00:30 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-09-09 00:30 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-09-09 00:30 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-09-09 00:30 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-09-09 00:30 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-09 00:30 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-09-09 00:30 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-08-31 00:44 15,360 --a------ C:\WINDOWS\system32\BASSMOD.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-22 19:58 -------- d-------- C:\Program Files\Fichiers communs
2006-09-22 19:54 28672 --a------ C:\WINDOWS\system32\drivers\Albus.SYS
2006-09-22 16:47 -------- d-------- C:\Program Files\eMule
2006-09-20 23:04 -------- d-------- C:\Program Files\Fichiers communs\aolshare
2006-09-20 22:56 -------- d-------- C:\Program Files\UEdit32
2006-09-20 20:14 -------- d-------- C:\Program Files\Lavasoft
2006-09-20 20:14 -------- d-------- C:\Documents and Settings\KGD\Application Data\Lavasoft
2006-09-19 23:58 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 23:58 -------- d-------- C:\Program Files\FBM Software
2006-09-19 23:52 -------- d-------- C:\Program Files\Dell
2006-09-15 20:37 -------- d-------- C:\Program Files\PrintView
2006-09-14 23:12 -------- d-------- C:\Program Files\MetaTrader 4
2006-09-11 23:34 -------- d---s---- C:\Documents and Settings\KGD\Application Data\Microsoft
2006-09-11 23:24 -------- d-------- C:\Program Files\Microsoft Office
2006-09-11 23:24 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-11 23:24 -------- d-------- C:\Program Files\Fichiers communs\Microsoft Shared
2006-09-11 23:24 -------- d-------- C:\Program Files\Fichiers communs\Designer
2006-09-08 00:02 -------- d-------- C:\Program Files\DivX
2006-09-06 21:45 -------- d-------- C:\Documents and Settings\KGD\Application Data\Apple Computer
2006-09-06 21:42 -------- d-------- C:\Program Files\QuickTime
2006-09-05 08:20 -------- d-------- C:\Documents and Settings\KGD\Application Data\Real
2006-09-05 08:16 -------- d-------- C:\Program Files\Fichiers communs\xing shared
2006-09-05 08:16 -------- d-------- C:\Program Files\Fichiers communs\Real
2006-09-04 22:32 -------- d-------- C:\Program Files\Fichiers communs\Adobe
2006-09-04 22:32 -------- d-------- C:\Documents and Settings\KGD\Application Data\Adobe
2006-09-03 17:37 -------- d-------- C:\Program Files\Microsoft DirectX SDK (June 2006)
2006-09-01 22:29 -------- d-------- C:\Program Files\Dl_cats
2006-08-23 00:18 -------- d-------- C:\Documents and Settings\KGD\Application Data\ACD Systems
2006-08-22 14:28 -------- d-------- C:\Program Files\Fichiers communs\ACD Systems
2006-08-22 14:27 -------- d-------- C:\Program Files\ACD Systems
2006-08-21 16:04 -------- d-------- C:\Program Files\Club-Internet
2006-08-21 15:05 56 -r-hs---- C:\WINDOWS\system32\B9836B8D7A.sys
2006-08-21 15:05 4182 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-08-21 14:45 -------- d-------- C:\Program Files\Fichiers communs\kzro
2006-08-21 14:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 14:01 -------- d-------- C:\Program Files\Windows Media Player
2006-08-19 16:03 -------- d-------- C:\Program Files\Fichiers communs\aliaswavefront shared
2006-08-19 16:03 -------- d-------- C:\Program Files\Fichiers communs\Alias Shared
2006-08-19 14:52 -------- d-------- C:\Program Files\MSN
2006-08-19 14:36 -------- d-------- C:\Program Files\Winamp
2006-08-19 14:26 -------- d-------- C:\Documents and Settings\KGD\Application Data\IDMComp
2006-08-17 16:38 -------- d-------- C:\Program Files\JpegWizard2
2006-08-17 16:32 -------- d-------- C:\Program Files\Xi
2006-08-17 15:20 -------- d-------- C:\Program Files\MSN Messenger
2006-08-17 15:07 -------- d-------- C:\Program Files\Java
2006-08-17 15:06 -------- d-------- C:\Program Files\netbeans-5.0
2006-08-17 15:04 -------- d-------- C:\Program Files\Fichiers communs\InstallShield
2006-08-17 15:00 -------- d-------- C:\Program Files\WinZip
2006-08-17 15:00 -------- d-------- C:\Program Files\WinRAR
2006-08-16 17:30 -------- d-------- C:\Program Files\Internet Explorer
2006-08-16 17:27 -------- d-------- C:\Program Files\Outlook Express
2006-08-16 17:27 -------- d-------- C:\Program Files\Fichiers communs\System
2006-08-16 16:43 -------- d-------- C:\Program Files\Security Task Manager
2006-08-11 19:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 19:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 19:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 19:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 19:31 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-08-11 19:31 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-08-11 19:31 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-08-11 19:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 19:31 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-08-11 19:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 19:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 19:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 19:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 19:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 19:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 19:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 19:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 19:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-08-11 19:27 -------- d-------- C:\Documents and Settings\KGD\Application Data\Macromedia
2006-08-11 19:10 -------- d-------- C:\Program Files\Fichiers communs\Motive
2006-08-11 19:09 -------- d-------- C:\Program Files\Motive
2006-08-11 19:09 -------- d-------- C:\Program Files\Common Files
2006-08-11 19:06 -------- d-------- C:\Program Files\BroadJump
2006-08-11 13:45 15890 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2006-08-11 13:44 -------- d-------- C:\Program Files\TRENDware
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-27 04:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-27 04:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-21 10:27 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-06-22 07:13 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-22 07:13 1440768 --a------ C:\WINDOWS\system32\query.dll
2006-06-07 19:55 3753 --a------ C:\Program Files\html2.htm
2006-06-07 19:55 3626 --a------ C:\Program Files\html1.htm


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"SetDefaultMIDI"="MIDIDef.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"dlccmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 924\\dlccmon.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"SigmatelSysTrayApp"="stsystra.exe"
"MBMon"="Rundll32 CTMBHA.DLL,MBMon"
"DLCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,_RunDLLEntry@16"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"alsmt.exe"="C:\\WINDOWS\\system32\\alsmt.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"kzro"="C:\\PROGRA~1\\FICHIE~1\\kzro\\kzrom.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^AOL 9.0 Icône AOL.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\AOL 9.0 Icône AOL.lnk"
"backup"="C:\\WINDOWS\\pss\\AOL 9.0 Icône AOL.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AOL9~1.0\\aoltray.exe -check"
"item"="AOL 9.0 Icône AOL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^KGD^Menu Démarrer^Programmes^Démarrage^Club Internet.lnk]
"path"="C:\\Documents and Settings\\KGD\\Menu Démarrer\\Programmes\\Démarrage\\Club Internet.lnk"
"backup"="C:\\WINDOWS\\pss\\Club Internet.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\CLUB-I~1\\Lanceur\\lanceur.exe "
"item"="Club Internet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BJCFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CFD"
"hkey"="HKLM"
"command"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Corel Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DLA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DLACTRLW"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isuspm"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\kzro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kzrom"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\FICHIE~1\\kzro\\kzrom.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McAgent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSKAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MskAgent"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSKDetectorExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSKDetct"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PVModule]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pvmodule"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\StandardInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\uhvjsul.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhvjsul"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VoiceCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AndreaVC"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe\" /tray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinAntiVirusPro2006]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinAV"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WinAntiVirus Pro 2006\\WinAV.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xgs51850]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE wa94a40c.dll,n 0035184d0000000aa94a40c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"MskService"=dword:00000002
"MpfService"=dword:00000002
"mcupdmgr.exe"=dword:00000003
"McTskshd.exe"=dword:00000002
"McShield"=dword:00000002
"McDetect.exe"=dword:00000002
"BITS"=dword:00000002
"dlcc_device"=dword:00000003
"AOL ACS"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Rappel d'abonnement 1 auprŠs de l'ISP.job

Completion time: 22/09/2006 20:01:11.03
ComboFix.txt

This very last log seems to be more interesting than the 2 previous ones, it has detected all the malwares (WinAntiVirusPro2006 is also one of these).

Have a nice week-end,
Mark

#8 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 22 September 2006 - 08:44 PM

Thanks, Mark! Give me a little bit to chew through these and write up some next cleanup steps.

I'm sure we can get you squared away, :)

It just may take a number of steps (you sure had some doozies!) :)
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#9 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 23 September 2006 - 01:21 AM

Apologies for the late reply here, I had a computer crash and lost ALL my notes - so this is the 2nd effort. {sigh}

I need to get some copies of files from you so I can submit for detection please.

Go here to upload the files as attachments
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Mark53 at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Note: If a file is not found, go on to the next one please. It will likely take more than one post to get all of these in (I think there is a limit of 10 files per post)

Files to attach for upload:

C:\WINDOWS\system32\stdagent.dll
C:\WINDOWS\system32\albus.dll
C:\WINDOWS\system32\stdvote.dll
C:\WINDOWS\system32\stdplay.dll
C:\WINDOWS\system32\alsmt.exe
C:\WINDOWS\system32\stdup.exe
C:\WINDOWS\system32\dmadsxgp.dll
C:\WINDOWS\system32\uhvjsul.dll
C:\WINDOWS\system32\unaoakg.dll
C:\WINDOWS\system32\khfccaw.dll
C:\WINDOWS\system32\datestamp.dll
C:\WINDOWS\system32\mljjh.dll
C:\\WINDOWS\\system32\\alsmt.exe
C:\\WINDOWS\\v1201.exe
wa94a40c.dll (You'll need to search on this file to find it's location)
C:\WINDOWS\system32\drivers\Albus.SYS
C:\PROGRAM FILES\PRINTVIEW <---all files in that folder
C:\\PROGRA~1\\FICHIE~1\\kzro <---all files in that folder


(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I'll be able to collect them from there. Thanks!
................
Once you have done that task, please return here and follow these steps next:

1, Go to your Control Panel and look in Add/Remove programs. If any of the following is found,highlight it and press *remove*

WinAntiVirus Pro

PrintView


Next, Open HijackThis and do a *system scan only*
When it finishes, checkmark these entries, then press the *fix checked* button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll

O2 - BHO: (no name) - {2ACC0345-A4AD-4A21-AAB4-C24EE9D3AAF7} - (no file)

O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll

O2 - BHO: (no name) - {887C1B4A-3F08-4BE5-ABA2-9633BF159948} - \

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\eyentlog.dll (file missing)

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\djkquota.dll (file missing)

O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

Delete these files and/or folders:

C:\Program Files\WinAntiVirus Pro 2006

C:\PROGRAM FILES\PRINTVIEW
..............................
Please download
VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt and a new
    HiJackThis log.
........................
We also need to get a log from this free tool

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline...tut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

#
Open the SmitfraudFix folder

Double-click smitfraudfix.cmd

Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Post the results back here please.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#10 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 23 September 2006 - 11:46 AM

Hi Calamity,

Once again, you apologize for the delay while I think you reply very fast and I thank you for your reactivity.

Anyway, I have posted the files you asked (some have already been deleted by anti-spywares or fixes). Tell me if you got them. I had a timeout error while I was uploading the ZIP file.

I couldn't find WinAntivirus Pro nor Printview in the installed programs, though I still have WinAntivirus pop-ups.

In C:\Program Files\PrintView, it was impossible to remove printhook030.dll. I just hope they weren't necessary files for printing.

I've run VundoFix (and it's not the first time). It once again found and removed the Trojan.Vundo from my computer. Here is its log :

Symantec Trojan.Vundo Removal Tool 1.5.0
The process "IEXPLORE.EXE" might be affected by the threat. It has been suspended.
The process "IEXPLORE.EXE" might be affected by the threat. It has been terminated.

C:\System Volume Information: (not scanned)
D:\System Volume Information: (not scanned)

Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 155678
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral processes suspended: 1
The number of viral threads terminated: 0
The number of registry entries fixed: 0

And finally, here is the log generated by SmitfraudFix :

SmitFraudFix v2.96

Rapport fait à 12:15:58,22, 23/09/2006
Executé à partir de C:\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\KGD\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KGD\Favoris

C:\DOCUME~1\KGD\Favoris\Antivirus Test Online.url PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

Thanks again for your help,
Mark

#11 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 23 September 2006 - 12:59 PM

Hi Mark,

I'm just now coming in for the morning and first cup of coffee in hand, so not quite awake yet, but I'm heading over to look at the files you uploaded and will report back here once I have a chance to examine them.

One thing jumps out at me and this is that you are using the Symantec Vundo removal tool.

The link I posted is for VundoFix by Atribune who is a volunteer researcher that monitors this infection daily to update the tool, which is much more up to date on removing Vundo.
Could you go back up and use the tool in my instruction for VundoFix and post a report from it please?
.................
Next, we need to do step 2 of SmitfraudFix based upon the results of your report.

NOTE: This fix step of this tool needs to be run in SAFE MODE! (So make a copy ofthese instructions to have handy)

1. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

2. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

3. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Fresh HijackThis log

VundFix log from Atribune's tool (not Symantec)
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#12 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 23 September 2006 - 01:53 PM

Regarding your question about PrintView

In C:\Program Files\PrintView, it was impossible to remove printhook030.dll. I just hope they weren't necessary files for printing.


This is a fairly newly discovered adware program - not anything to do with your print function really, and usually found installed without the user's knowledge, so it may have come in a bundle with something else.

Here is Researcher Tony Klein's writeup on it:
http://www.castlecop...wBHO_Class.html

GUID {D4E0C464-30CE-4075-9A10-71FD106C2847}
Filename printhook030.dll, PRINTH~1.DLL
Object Name PrintViewBHO Class
Status X BHO
Description Adperform.com/adoptim.com adware, file located in a Program Files\PrintView folder. The accompanying executable (pvmodule.exe) is detected by AntiVir antivirus as TR/Dldr.Agent.alb. NOTE: the 'real' PrintView installs in a C:\CBR folder instead.


And the scan results on pvmodule.exe you uploaded:

Complete scanning result of "pvmodule.exe", received in VirusTotal at 09.23.2006, 14:42:53 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.22.2006 TR/Dldr.Agent.alb
Authentium 4.93.8 09.23.2006 no virus found
Avast 4.7.844.0 09.22.2006 no virus found
AVG 386 09.22.2006 no virus found
BitDefender 7.2 09.23.2006 no virus found
CAT-QuickHeal 8.00 09.22.2006 TrojanDropper.Agent.alb
ClamAV devel-20060426 09.23.2006 no virus found
eTrust-InoculateIT 23.73.3 09.23.2006 no virus found
eTrust-Vet 30.3.3093 09.22.2006 no virus found
DrWeb 4.33 09.22.2006 no virus found
Ewido 4.0 09.23.2006 no virus found
Fortinet 2.82.0.0 09.23.2006 suspicious
F-Prot 3.16f 09.22.2006 no virus found
F-Prot4 4.2.1.29 09.23.2006 no virus found
Ikarus 0.2.65.0 09.23.2006 no virus found
Kaspersky 4.0.2.24 09.23.2006 no virus found
McAfee 4858 09.22.2006 no virus found
Microsoft 1.1560 09.23.2006 no virus found
NOD32v2 1.1768 09.22.2006 no virus found
Norman 5.80.02 09.22.2006 no virus found
Panda 9.0.0.4 09.23.2006 no virus found
Sophos 4.09.0 09.23.2006 no virus found
Symantec 8.0 09.23.2006 no virus found
TheHacker 6.0.1.077 09.22.2006 no virus found
UNA 1.83 09.22.2006 no virus found
VBA32 3.11.1 09.23.2006 no virus found
VirusBuster 4.3.7:9 09.23.2006 no virus found

Aditional Information
File size: 50688 bytes
MD5: 1599c68387c28ea6d32a65941930d12c
SHA1: 51030b1f01bd509c86483cec4d814aecdfd7a21a



I'm still going through these files you sent. Am waiting for the results of your VundoFix and SmitfraudFix runs with logs requested above
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#13 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 23 September 2006 - 06:52 PM

Hi Calamity,

Well then, you're pretty dedicated in your job. ;-)

Here is the VundoFix log :

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.8

Scan started at 19:01:37 23/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.bak2

I managed to remove Vundo after a reboot.

Then I ran smitfraudfix, and here is the log :


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

I ran it several times, that's why the infected dll's don't appear there.

And here is the hijackthis log :

Logfile of HijackThis v1.99.1
Scan saved at 19:33:09, on 23/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\KGD\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-inte...;version=501596
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D00FA78-F963-4CF4-87CE-43962B205AA7} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Standard Br Service (stdsverex) - Unknown owner - C:\WINDOWS\system32\stdup.exe (file missing)

Thanks again,
Mark

#14 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 23 September 2006 - 07:33 PM

Make a copy of these instructions to have handy as this next step needs to be done with IE and any other browsers closed (so you won't be able to view this window)

Now close all browsers and any open windows, having only HijackThis open.

Open HijackThis and do a *system scan only*
When it finishes, place a checkmark next to these entries in the list:

O2 - BHO: (no name) - {3D00FA78-F963-4CF4-87CE-43962B205AA7} - C:\WINDOWS\system32\mljjh.dll (file missing)

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

O16 - DPF: {28E0FA88-ABA8-4937-A247-3031F1A11165} - http://pi.51.net/download/diybar2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

O23 - Service: Standard Br Service (stdsverex) - Unknown owner - C:\WINDOWS\system32\stdup.exe (file missing)

Reboot your computer

After the reboot, scan once more and post a fresh HijackThis log please.

Then press the *fix checked* button.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#15 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 24 September 2006 - 05:57 AM

Hi Calamity,

Beware of your recommendations, deleting the keys :

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

removed my DNS server configuration. I had to setup it again.

Anyway, just placing a checkmark in front of lines doesn't seem to make anything if you don't click on "fix checked". It's what I did, and it deleted it all. After the next reboot, only stdup.exe was still here. In fact, it's because it's a service. I deactivated it in "services.msc" (I don't know how to permanently delete them).

Here is the final log :

Logfile of HijackThis v1.99.1
Scan saved at 06:45:43, on 24/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\DOCUME~1\KGD\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\eMule\emule.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\Club-Internet\Dr Club Internet\bin\mad.exe
C:\Program Files\Club-Internet\Dr Club Internet\bin\mpbtn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijack\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-inte...;version=501596
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Fichiers communs\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Things seem to be better now. All you have to do is include all these malware removal steps in the next version of Ad-aware. ;-)

Regards,
Mark

#16 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 24 September 2006 - 02:20 PM

Hi Calamity,

Beware of your recommendations, deleting the keys :

O17 - HKLM\System\CCS\Services\Tcpip\..\{6518B03F-2DCA-472E-8DA9-FE1273EABA6D}: NameServer = 85.255.116.98,85.255.112.123

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCEDAB5A-F6BC-4E64-AA5E-F5B046F6276D}: NameServer = 85.255.116.98,85.255.112.123

removed my DNS server configuration. I had to setup it again.


Now THAT is surprising :) . IP lookup shows that as Inhoster in the Ukraine, which often hosts websites of dubious repute (which was what made me think you had the Wareout pest). This was the lookup results on that IP

WHOIS results for 85.255.116.98
Generated by www.DNSstuff.com

% Information related to '85.255.112.0 - 85.255.127.255'
inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

See this article by Suzi Turner of SpywareWarrior (also writes a Spyware Blog at ZDnet):
ISPs hosting spyware - who are they?
http://blogs.zdnet.com/Spyware/?p=763
.................
And I'm glad you figured out to use the *fix checked*. A bad copy & paste on my part, that line ended up out order at the end of my post instead of after the list of entries.

After the next reboot, only stdup.exe was still here. In fact, it's because it's a service. I deactivated it in "services.msc" (I don't know how to permanently delete them).

HijackThis has a section under *Misc. Tools Section* to delete a service.

Use the *Delete a NT Service button* to delete this one:

Standard Br Service
or (stdsverex)

That service was part of the Boran adware you had, all of which was fairly new and the reason I asked you to upload some files for me. In addition to examining them to determine what they were, I was also able to submit those files to the Research Team to add for detection in Ad-Aware. :)

Your final HijackThis log looks good - no nasties showing. Is everything running OK now on your computer?
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#17 Mark53

Mark53

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 24 September 2006 - 05:14 PM

Well, you're right, I'm surprised to see that the DNS servers I'm using are Ukrainian. But let me tell you I've never had problem with them, I've been using them for years. They're better than my current ISP official DNS servers that don't resolve all websites.

Thanks for the info about services deletion with Hijackthis. Though, I'd be glad to know how to do this using Windows. ;-)

I'm glad to know that my problem has allowed you to work on a new malware. Is it possible to integrate all the removal steps I've been thru in Ad-Aware ? It would be great to be able to remove all these malwares in one click. But we're always obliged to look for standalone removal tools, or to remove things by hand.

Anyway, everything is going fine now on my comp except one little thing that remains : the WinAntiVirus Pro 2006 icon still appears in the control panel and I don't know how to get rid of it.

Thanks,
Mark

#18 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 25 September 2006 - 04:33 PM

In Windows XP, you can use sc.exe to delete a service (among other things as described here)
How to Create a Windows Service Using Sc.exe
http://support.micro...om/?kbid=251192

Could you please post the results of the SmitfraudFix tool that you ran. It should be located on your hard-drive named as Rapport.txt

And, if I could get a report from this tool please:

1. Download this file - combofix.exe
http://download.blee...Bs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)


Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#19 spike-nz

spike-nz

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 3092 posts

Posted 28 September 2006 - 01:05 PM

Hi Mark53,

(Sorry to interrupt, Janie)

Here is the VundoFix log :

VundoFix V6.1.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.8

Scan started at 19:01:37 23/09/2006

Not a biggie, but it is safest to remove all out-dated versions of Java, as they can be a security threat :D

(As usual, use add/remove programs)

Regards,

Spike

#20 Kevin Yip

Kevin Yip

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 21 November 2006 - 05:04 PM

Hi all,

Sorry to interrupt. A friend of mine has her computer infected. I found the "Standard Br Service" and some other stuff. Since Mark also listed it, I think this is a good place to start the discussion.

The symptoms are as follows:
. The IE shortcuts on the desktop and in the quick launch bar both set to "http://www.123wa.com"
. A number of extra toolbars appear in IE
. A number of extra right-click context menu items appear in IE

Underlying, I found these:
. Suspicious services:
Standard Br Service (stdsverex)
Standard Update Net Service
VisionService
. Suspicious files:
C:\Program Files\Vision\
C:\windows\system32\std.ini
C:\windows\system32\stdd.ini
C:\windows\system32\stdup.exe
And a whole bunch of "std" something
. Suspicious startup items identified by HijackThis:
02-BHO: Vision - ... C:\Program Files\Vision\vision.dll
08-Extra context menu item: ... C:\Program Files\Vision\vision.dll/mms.htm
09-Extra 'Tools' menuitem: ... C:\Program Files\Vision\vision.dll
023-Service: Standard Br Service (stdsverex) C:\windows\system32\stdup.exe

What I have tried:
. Disabling the extra toolbars in IE - succeeded
. Removing the IE shortcuts and recreated the correct ones - succeeded
. Removing stdup.exe - initially failed, succeeded after rebooting in safe mode
. Disabling VisionService - succeeded
. Deleting VisionService using sc.exe - succeeded
*. Disabling Standard Br Service - failed. The service was set to automatic, and I found no way to make it manual or disabled. Failed even in safe mode
*. Deleting Standard Br Service using sc.exe - failed. Failed even in safe mode
*. Removing the registry entries of Standard Br Service and VisionService - failed. When I tried to delete the whole subfolder of either of them, regedit stopped responding. The CPU usage was 100%, but it just could not finish the deletion. Failed even in safe mode
*. Removing the startup items - 08 and 09 succeeded, 02 and 023 failed. HijackThis did not report anything, but after clicking fix and rescanning they were still there. Failed even in safe mode
*. Removing the directory C:\Program Files\Vision - failed. The directory was indeed removed, but then it was immediately recreated. Even worse, it also triggered the recreation of VisionService

When I used AdAware to scan, it found the same things, but was unable to delete some of the files. I accepted the option to let AdAware to delete the files after the next reboot, but it still could not delete the files after rebooting.

I tried to identify the hidden processes/services that recreated VisionService, but was unable to find them out.

Each time after rebooting, if VisionService was recreated by the hidden monitoring process before the reboot, the IE shortcuts and context menus reappear.

I have spent quite some time searching the web for a solution. I think up to this moment all the suggestions are contained in the above list. I guess the malware has been strengthened since the post of such suggestions.

Please help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users