Unsolved
This post is more than 5 years old
4 Posts
0
15885
February 14th, 2005 23:00
help needed.....hjt
i know there might be a problem with salm.exe, wincomm, winlock..... i found bargainbuddy somewhere, and golden retriever cash back...... i tried to delete them but they always come back... i need help to get rid please....
hjt:
tartupList report, 2005-02-14, 20:47:23
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Francky\Bureau\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Francky\Bureau\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\system2.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\AdTools Service\AdToolsKeep.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows FormatAd\WinForm.exe
C:\Program Files\Windows FormatAd\WinFormKeep.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
c:\temp\salm.exe
C:\Documents and Settings\Francky\Bureau\HijackThis.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\system2.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\AdTools Service\AdToolsKeep.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows FormatAd\WinForm.exe
C:\Program Files\Windows FormatAd\WinFormKeep.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
c:\temp\salm.exe
C:\Documents and Settings\Francky\Bureau\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage]
Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
[C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage]
Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C-Media Mixer = Mixer.exe /startup
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QMusic = "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ISUSPM Startup = C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
SSC_UserPrompt = C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
Bcvsrv32 = system2.exe
ccApp = C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
*windows update = wymst.exe
ap9h4qmo = C:\WINDOWS\System32\ap9h4qmo.exe
AdTools Service = C:\Program Files\AdTools Service\AdTools.exe
Windows FormatAd = C:\Program Files\Windows FormatAd\WinForm.exe
Win Comm = C:\Program Files\Win Comm\WinComm.exe
Internet Optimizer = "C:\Program Files\Internet Optimizer\optimize.exe"
salm = c:\temp\salm.exe
cbcz = C:\WINDOWS\cbcz.exe
ErrorGuard = C:\Program Files\ErrorGuard\ErrorGuard.Exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QMusic = "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ISUSPM Startup = C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
SSC_UserPrompt = C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
Bcvsrv32 = system2.exe
ccApp = C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
*windows update = wymst.exe
ap9h4qmo = C:\WINDOWS\System32\ap9h4qmo.exe
AdTools Service = C:\Program Files\AdTools Service\AdTools.exe
Windows FormatAd = C:\Program Files\Windows FormatAd\WinForm.exe
Win Comm = C:\Program Files\Win Comm\WinComm.exe
Internet Optimizer = "C:\Program Files\Internet Optimizer\optimize.exe"
salm = c:\temp\salm.exe
cbcz = C:\WINDOWS\cbcz.exe
ErrorGuard = C:\Program Files\ErrorGuard\ErrorGuard.Exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Bcvsrv32 = system2.exe
*windows update = wymst.exe
*windows update = wymst.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
*windows update = wymst.exe
Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
*windows update = wymst.exe
Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.
Registry check failed!
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\nem220.dll - {00000010-6F7D-442C-93E3-4A4827C2E4C8}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
Ipswitch.WsftpBrowserHelper - C:\Program Files\WS_FTP Pro\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
Ipswitch.WsftpBrowserHelper - C:\Program Files\WS_FTP Pro\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[{10000000-1000-0000-1000-000000000000}]
CODEBASE = ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
CODEBASE = ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
[EARTPatchX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll
CODEBASE = http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EARTPX.dll
CODEBASE = http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
[VacPro.canada_ver3]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\canada_ver3.ocx
CODEBASE = http://www.advnt01.com/dialer/canada_ver3.CAB
InProcServer32 = C:\WINDOWS\Downloaded Program Files\canada_ver3.ocx
CODEBASE = http://www.advnt01.com/dialer/canada_ver3.CAB
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Windows NT/2000/XP services
*windows update: C:\WINDOWS\System32\wymst.exe (autostart)
Environnement de prise en charge de réseau AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
aslm75: \??\C:\WINDOWS\system32\drivers\aslm75.sys (autostart)
Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Explorateur d'ordinateur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe (autostart)
Services de cryptographie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Client DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Gestionnaire de disque logique: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Client DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Service de rapport d'erreurs: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Journal des événements: %SystemRoot%\system32\services.exe (autostart)
Aide et support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Serveur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Station de travail: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Assistance TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Affichage des messages: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
Norton Unerase Protection: "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" (autostart)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
%OWC_USBEHCD.DeviceDesc%: System32\Drivers\ousbehci.sys (autostart)
Plug-and-Play: %SystemRoot%\system32\services.exe (autostart)
Services IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
Emplacement protégé: %SystemRoot%\system32\lsass.exe (autostart)
Accès à distance au Registre: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Appel de procédure distante (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Gestionnaire de comptes de sécurité: %SystemRoot%\system32\lsass.exe (autostart)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Planificateur de tâches: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Connexion secondaire: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notification d'événement système: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Détection matériel noyau: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Spouleur d'impression: %SystemRoot%\system32\spoolsv.exe (autostart)
Service de restauration système: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Acquisition d'image Windows (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
SymWMI Service: C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe (autostart)
Thèmes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Client de suivi de lien distribué: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Gestionnaire de téléchargement: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Horloge Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Infrastructure de gestion Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Mises à jour automatiques: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Configuration automatique sans fil: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Environnement de prise en charge de réseau AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
aslm75: \??\C:\WINDOWS\system32\drivers\aslm75.sys (autostart)
Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Explorateur d'ordinateur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe (autostart)
Services de cryptographie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Client DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Gestionnaire de disque logique: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Client DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Service de rapport d'erreurs: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Journal des événements: %SystemRoot%\system32\services.exe (autostart)
Aide et support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Serveur: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Station de travail: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Assistance TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Affichage des messages: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
Norton Unerase Protection: "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" (autostart)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
%OWC_USBEHCD.DeviceDesc%: System32\Drivers\ousbehci.sys (autostart)
Plug-and-Play: %SystemRoot%\system32\services.exe (autostart)
Services IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
Emplacement protégé: %SystemRoot%\system32\lsass.exe (autostart)
Accès à distance au Registre: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Appel de procédure distante (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Gestionnaire de comptes de sécurité: %SystemRoot%\system32\lsass.exe (autostart)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Planificateur de tâches: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Connexion secondaire: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notification d'événement système: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Détection matériel noyau: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Spouleur d'impression: %SystemRoot%\system32\spoolsv.exe (autostart)
Service de restauration système: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Acquisition d'image Windows (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
SymWMI Service: C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe (autostart)
Thèmes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Client de suivi de lien distribué: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Gestionnaire de téléchargement: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Horloge Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Infrastructure de gestion Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Mises à jour automatiques: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Configuration automatique sans fil: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\exdl.exe => C:\WINDOWS\System32\mqexdlm.srg|C:\WINDOWS\exul.exe => C:\WINDOWS\System32\javexulm.vxd|C:\WINDOWS\adp8034_CDT5.exe||C:\WINDOWS\ahadp.exe||@C:\WINDOWS\system32\@c:\windows\system32\scrrun.dll.tmp
PendingFileRenameOperations: C:\WINDOWS\exdl.exe => C:\WINDOWS\System32\mqexdlm.srg|C:\WINDOWS\exul.exe => C:\WINDOWS\System32\javexulm.vxd|C:\WINDOWS\adp8034_CDT5.exe||C:\WINDOWS\ahadp.exe||@C:\WINDOWS\system32\@c:\windows\system32\scrrun.dll.tmp
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*windows update = wymst.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*windows update = wymst.exe
0 events found
No Events found!
Midnight Star
4.8K Posts
0
February 15th, 2005 14:00
I don't have the modules ready yet to convert a 'startuplist' into a format that my software can easily analyse (that's an upcoming project), so let's see what a HiJackThis log reports back for us.
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:
1. Click " Scan"
2. Click " Save log"
Notepad will pop-up with a copy of your system long, then:
1. " Edit | Select all"
2. " Edit | Copy"
Next, let's " Reply" back to this post, then:
1. Right-click on the message body.
2. Select " Paste"
Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).
-
If your having a problem getting the 1.99.0 version to run properly on your system, try downloading and running the previous version; HiJackThis 1.98.2.
Download mwav.exe from MicroWorld, then:
1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Mike.
azozo
4 Posts
0
February 16th, 2005 00:00
sorry, there you go...
Logfile of HijackThis v1.98.2
Scan saved at 20:54:47, on 2005-02-15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wymst.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\system2.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wymst.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\Windows FormatAd\WinForm.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\AdTools Service\AdToolsKeep.exe
C:\temp\salm.exe
C:\Program Files\Windows FormatAd\WinFormKeep.exe
C:\Program Files\Win Comm\WinLock.exe
C:\WINDOWS\cbcz.exe
C:\WINDOWS\System32\wymst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wymst.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Francky\Bureau\HijackThis.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.qc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://tsn.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Bcvsrv32] system2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*windows update] wymst.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Windows FormatAd] C:\Program Files\Windows FormatAd\WinForm.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [cbcz] C:\WINDOWS\cbcz.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\RunServices: [Bcvsrv32] system2.exe
O4 - HKLM\..\RunServices: [*windows update] wymst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [*windows update] wymst.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
here's my virus log from escan
File C:\WINDOWS\nem220.dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\system2.exe infected by "Backdoor.Win32.Agobot.gen" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINDOW~4\WinForm.exe infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINDOW~4\WINFOR~1.DLL infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINCOM~1\WinComm.exe infected by "not-a-virus:AdWare.WinComm" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINCOM~1\WinDat.dll infected by "not-a-virus:AdWare.WinComm" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\INTERN~2\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\ADTOOL~1\ADTOOL~1.EXE infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\temp\salm.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File c:\temp\salmhook.dll infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINDOW~4\WINFOR~1.EXE infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINCOM~1\WinLock.exe infected by "not-a-virus:AdWare.WinComm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cbcz.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\nem220.dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\system2.exe infected by "Backdoor.Win32.Agobot.gen" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINDOW~4\WinForm.exe infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINCOM~1\WinComm.exe infected by "not-a-virus:AdWare.WinComm" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\INTERN~2\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus. Action Taken: No Action Taken.
File c:\temp\salm.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cbcz.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e2g25.exe infected by "Trojan-Downloader.Win32.Small.adu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mmwork.exe infected by "not-a-virus:AdWare.MediaMotor.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\o2.exe infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\pi1_25.exe infected by "Trojan-Downloader.Win32.Small.afq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\unstall.exe infected by "not-a-virus:AdWare.MediaMotor.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\abasa5jrp.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hochkaod3.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lkir8l2gm.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\prutpct.exe infected by "Trojan-Spy.Win32.VB.eh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\q17i9a4j.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\lc.exe infected by "not-a-virus:AdWare.WinComm" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.fr4191 infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.fr4B32 infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.fr6DE2 infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.fr914A infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.fr9807 infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.frA92B infected by "Trojan-Clicker.Win32.VB.ex" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.frD961 infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\Temp\temp.frF9A8 infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\7C53JNQ2\pi1_25[1].exe infected by "Trojan-Downloader.Win32.Small.afq" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\F0BB7PA4\o2[1].exe infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\F0BB7PA4\WinFormComm[1].dll infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\OA09TK0H\prutjct[1].exe infected by "Trojan-Spy.Win32.VB.eh" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\OA09TK0H\WinForm[1].exe infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\RMOB3X0H\pi[1].exe infected by "Trojan-Downloader.Win32.Small.afq" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\RMOB3X0H\prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\UP92R6PO\nem220[1].dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\UP92R6PO\unstall[1].exe infected by "not-a-virus:AdWare.MediaMotor.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\WJ37AS1L\dl[1].htm infected by "not-a-virus:AdWare.WinAD.y" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\WJ37AS1L\WinFormKeep[1].exe infected by "not-a-virus:AdWare.WinAD.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e2g25.exe infected by "Trojan-Downloader.Win32.Small.adu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mmwork.exe infected by "not-a-virus:AdWare.MediaMotor.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\o2.exe infected by "Trojan-Downloader.Win32.Dyfuca.du" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\pi1_25.exe infected by "Trojan-Downloader.Win32.Small.afq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\unstall.exe infected by "not-a-virus:AdWare.MediaMotor.c" Virus. Action Taken: No Action Taken.
Midnight Star
4.8K Posts
0
February 22nd, 2005 18:00
azozo
4 Posts
0
February 22nd, 2005 21:00
well, actually, i think i've cleaned it.... mostly...... i don't have any problems since, but i'm not sure if everything's gone....
Logfile of HijackThis v1.98.2
Scan saved at 18:01:47, on 2005-02-22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Dev-Cpp\DevCpp.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Francky\Bureau\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.qc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://tsn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Midnight Star
4.8K Posts
0
February 24th, 2005 16:00
Message Edited by Midnight Star on 02-24-2005 01:06 PM
Midnight Star
4.8K Posts
0
February 24th, 2005 17:00
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
C:\PROGRA~1\WINCOM~1
C:\PROGRA~1\ADTOOL~1
C:\WINDOWS\System32\system2.exe
C:\temp\salm.exe
c:\temp\salmhook.dll
C:\WINDOWS\cbcz.exe
C:\WINDOWS\e2g25.exe
C:\WINDOWS\mmwork.exe
C:\WINDOWS\o2.exe
C:\WINDOWS\pi1_25.exe
C:\WINDOWS\sskb5.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\System32\abasa5jrp.exe
C:\WINDOWS\System32\hochkaod3.exe
C:\WINDOWS\System32\lkir8l2gm.dll
C:\WINDOWS\System32\prutpct.exe
C:\WINDOWS\System32\q17i9a4j.exe
C:\WINDOWS\System32\qh4mkbv9.dll
C:\DOCUME~1\Francky\LOCALS~1\Temp\lc.exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\7C53JNQ2\pi1_25[1].exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\F0BB7PA4\o2[1].exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\F0BB7PA4\WinFormComm[1].dll
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\OA09TK0H\prutjct[1].exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\OA09TK0H\WinForm[1].exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\RMOB3X0H\pi[1].exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\UP92R6PO\nem220[1].dll
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\UP92R6PO\unstall[1].exe
C:\DOCUME~1\Francky\LOCALS~1\TEMPOR~1\Content.IE5\WJ37AS1L\WinFormKeep[1].exe
Message Edited by Midnight Star on 02-24-2005 01:02 PM
azozo
4 Posts
0
February 28th, 2005 14:00
Scan saved at 11:36:38, on 2005-02-28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Francky\Bureau\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://tsn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB
Midnight Star
4.8K Posts
0
March 1st, 2005 00:00
We didn't get to finish the final cleanup, which we'll do after this, if everything is running ok, since this was the only entry that I could see that was left to fix.
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R3 - Default URLSearchHook is missing
Now, with all windows closed except HiJackThis, click " Fix checked".
Reboot your computer, and try using different programs and make sure everything is running ok. If your still experiencing problems, post back any concerns or problems you may be having and wait for any advice before continuing with the cleanup.
Download, install and run Cleanup! from Steven Gould, then:
1. Click " Cleanup!"
( wait for the program to finish scanning your system, and selecting files to be removed.)
2. Exit the program and reboot the computer, if necessary.
-
For more information about using Cleanup! see here.
If everything is running ok, let's do the final cleanup...
1. Run " Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded MicroWorld AV ( MWAV), run it again - but don't scan, just click " Clear Log" and exit the program.
3. Go to www.trendmicro.com and click " Free Online Scan", then " Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) " Auto clean", then click " Scan".
4. Run AdAware SE Personal and " perform a full system scan", then Spybot S&D, and " Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.
5. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
If your having any more problems, post back.
-
Happy surfing,
Mike.