Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 zaptobe

zaptobe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 12 February 2008 - 07:45 AM

Hello,

I have problems with svchost.exe (svchost.exe\svchost.exe) which appears to be infected (WIN32:tratBHO trojan).
I tried Avast, Kaspersky, etc., unsuccessfully...
Thank you for your help.
Here under is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:25, on 12/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrateur\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.fr"); (C:\Documents and Settings\ADMINISTRATEUR\Application Data\Mozilla\Profiles\default\xtzd6th3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\ADMINISTRATEUR\Application Data\Mozilla\Profiles\default\xtzd6th3.slt\prefs.js)
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - C:\WINDOWS\system32\ddccyax.dll (file missing)
O2 - BHO: (no name) - {3D91682A-8C74-436B-A53A-C89646DAF7CA} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: (no name) - {F2FF0D36-47A3-4DED-B760-0DDFC1A6B666} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: ddccyax - C:\WINDOWS\
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Verrouillage des périphériques / Audition HP ProtectTools (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Fichiers communs\SureThing Shared\stllssvr.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 8786 bytes

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:09 PM

Posted 12 February 2008 - 08:32 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 zaptobe

zaptobe
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 12 February 2008 - 09:17 AM

Hello Sam,
Nice to meet you here and thank you for your quick answer.
Here under is the combofix log.

ComboFix 08-02-12.1 - Administrateur 2008-02-12 15:06:11.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1332 [GMT 1:00]
Endroit: C:\tmp\ComboFix.exe
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
D:\Autorun.inf
D:\RECYCLER\Desktop.ini
D:\RECYCLER\Folder.htt
D:\RECYCLER\Protect.ed
D:\RECYCLER\Warning.bmp

----- BITS: Possible sites infect‚s -----

hxxp://update.pdfcomplete.com

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-12 to 2008-02-12 ))))))))))))))))))))))))))))))))))))
.

2008-02-12 13:52 . 2008-02-12 13:52 <REP> d-------- C:\Program Files\Lavasoft
2008-02-12 13:52 . 2008-02-12 13:53 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 13:51 . 2008-02-12 13:51 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-12 12:38 . 2008-02-12 12:38 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 12:38 . 2008-02-12 13:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 00:59 . 2008-02-12 00:59 <REP> d-------- C:\WINDOWS\ServicePackFiles
2008-02-12 00:58 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-02-11 17:06 . 2008-02-11 17:12 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-11 17:06 . 2008-02-11 17:12 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-11 17:05 . 2008-02-11 23:33 <REP> d-------- C:\Program Files\Kaspersky Lab
2008-02-11 17:05 . 2008-02-12 15:10 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-11 17:05 . 2008-02-12 15:10 3,390,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-11 17:05 . 2008-02-12 15:09 51,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-11 17:05 . 2008-02-12 15:09 48,548 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-11 17:05 . 2008-02-12 15:09 5,852 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-11 14:43 . 2008-02-11 16:55 <REP> d-------- C:\Program Files\Eset
2008-02-11 14:43 . 2008-02-11 14:42 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-11 14:18 . 2008-02-11 14:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-11 14:16 . 2008-02-11 14:16 <REP> d---s---- C:\Documents and Settings\Administrateur\UserData
2008-02-11 00:00 . 2008-02-11 00:00 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Media Player Classic
2008-02-10 23:27 . 2008-02-12 14:33 <REP> d-------- C:\VundoFix Backups
2008-02-10 23:07 . 2008-02-10 23:07 <REP> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-10 22:51 . 2008-02-10 22:51 <REP> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-02-10 22:26 . 2008-02-10 22:26 <REP> d-------- C:\Program Files\Bonjour
2008-02-10 22:19 . 2008-02-10 22:19 <REP> d-------- C:\Program Files\Fichiers communs\Macrovision Shared
2008-02-10 22:18 . 2008-02-10 22:26 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-02-10 20:08 . 2008-02-10 20:08 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-02-10 17:12 . 2008-02-11 23:16 <REP> d-------- C:\Program Files\eMule
2008-02-10 17:03 . 2008-02-10 17:03 <REP> d-------- C:\WINDOWS\SHELLNEW
2008-02-10 17:03 . 2008-02-10 17:03 <REP> d-------- C:\Program Files\Microsoft.NET
2008-02-10 17:03 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-10 17:01 . 2008-02-10 17:01 <REP> dr-h----- C:\MSOCache
2008-02-10 16:48 . 2008-02-10 16:48 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\GlobalSCAPE
2008-02-10 16:47 . 2008-02-10 17:04 385 --a------ C:\WINDOWS\ODBC.INI
2008-02-10 03:31 . 2008-02-10 03:31 <REP> d-------- C:\Program Files\GlobalSCAPE
2008-02-10 01:31 . 2008-02-10 01:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-02-09 23:50 . 2008-02-09 23:50 <REP> d-------- C:\Program Files\Fichiers communs\mozilla.org
2008-02-09 23:38 . 2008-02-10 02:19 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\IDMComp
2008-02-09 23:36 . 2008-02-09 23:39 <REP> d-------- C:\Program Files\IDM Computer Solutions
2008-02-09 23:33 . 2008-02-10 17:00 <REP> d-------- C:\Program Files\RegCure
2008-02-09 23:32 . 2008-02-09 23:32 <REP> d-------- C:\Program Files\Satsuki Decoder Pack
2008-02-09 23:32 . 2008-02-09 23:32 26 --a------ C:\WINDOWS\system32\satsukidecodersettings.ini
2008-02-09 23:31 . 2008-02-10 03:24 <REP> d-------- C:\phpMyAdmin
2008-02-09 23:30 . 2008-02-09 23:30 <REP> d-------- C:\Program Files\PowerISO
2008-02-09 23:29 . 2008-02-09 23:29 <REP> d-------- C:\Program Files\PicaView32
2008-02-09 23:20 . 2008-02-11 14:07 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 23:18 . 2008-02-09 23:18 <REP> d-------- C:\Program Files\Fichiers communs\eSellerate
2008-02-09 23:18 . 2008-02-09 23:18 <REP> d-------- C:\Program Files\AnswersThatWork
2008-02-09 23:18 . 2007-06-08 13:53 1,753,088 --a------ C:\WINDOWS\system32\ExGrid.dll
2008-02-09 23:18 . 2007-04-03 16:51 614,400 --a------ C:\WINDOWS\system32\ExButton.dll
2008-02-09 23:18 . 2007-06-05 10:20 602,112 --a------ C:\WINDOWS\system32\ExMenu.dll
2008-02-09 23:18 . 2007-06-05 10:19 516,096 --a------ C:\WINDOWS\system32\ExTab.dll
2008-02-09 23:18 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-02-09 23:18 . 2005-10-11 14:40 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-02-09 23:18 . 2007-04-03 16:51 307,200 --a------ C:\WINDOWS\system32\ExPMenu.dll
2008-02-09 23:18 . 2005-06-18 11:44 212,240 --a------ C:\WINDOWS\system32\RichTx32.ocx
2008-02-09 23:18 . 2004-03-09 01:00 124,688 --a------ C:\WINDOWS\system32\MSWinSck.ocx
2008-02-09 23:18 . 2005-10-04 08:11 118,784 --a------ C:\WINDOWS\system32\eWebControl.dll
2008-02-09 23:16 . 2008-02-10 03:12 <REP> d-------- C:\Program Files\PHP
2008-02-09 23:11 . 2008-02-09 23:11 <REP> d-------- C:\Program Files\MySQL
2008-02-09 23:10 . 2008-02-09 23:10 <REP> d-------- C:\Program Files\Apache Group
2008-02-09 23:03 . 2008-02-09 23:03 <REP> d-------- C:\Documents and Settings\Administrateur\.javaws
2008-02-09 23:03 . 2003-02-20 16:42 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-02-09 23:02 . 2008-02-09 23:50 95,440 --a------ C:\WINDOWS\GREUninstall.exe
2008-02-09 23:02 . 2008-02-09 23:50 87,184 --a------ C:\WINDOWS\NSUninst.exe
2008-02-09 22:42 . 2008-02-09 22:42 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Talkback
2008-02-09 22:23 . 2008-02-12 13:26 11,800 --a------ C:\WINDOWS\mozver.dat
2008-02-09 22:22 . 2008-02-09 22:22 <REP> d-------- C:\Documents and Settings\Administrateur\Application Data\Netscape
2008-02-09 22:22 . 2008-02-09 23:03 335 --a------ C:\WINDOWS\nsreg.dat
2008-02-09 22:21 . 2008-02-09 23:28 <REP> d-------- C:\Program Files\Netscape
2008-02-09 22:21 . 2008-02-09 22:25 <REP> d-------- C:\Program Files\Fichiers communs\Scanner
2008-02-09 22:21 . 2008-02-10 02:42 <REP> d-------- C:\en-cours
2008-02-09 21:15 . 2008-02-09 21:15 <REP> d-------- C:\Program Files\Alwil Software
2008-02-09 21:13 . 2008-02-12 15:03 <REP> d-------- C:\tmp
2008-02-09 21:10 . 2004-08-19 16:09 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-09 20:58 . 2008-02-09 20:58 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-09 20:22 . 2008-02-09 20:22 <REP> d-------- C:\Program Files\Common Files
2008-02-09 20:22 . 2008-02-09 20:22 <REP> d-------- C:\Intel
2008-02-09 20:22 . 2008-02-09 20:22 <REP> d-------- C:\Documents and Settings\Administrateur\Bluetooth Software
2008-02-09 20:22 . 2007-04-10 14:09 920,344 --a------ C:\WINDOWS\system32\heciudlg.exe
2008-02-09 20:22 . 2007-04-10 14:10 912,152 --a------ C:\WINDOWS\system32\mesoludlg.exe
2008-02-09 20:22 . 2007-04-06 10:27 44,800 --a------ C:\WINDOWS\system32\drivers\HECI.sys
2008-02-09 20:21 . 2008-02-09 20:21 <REP> d-------- C:\Program Files\WIDCOMM
2008-02-09 20:21 . 2008-02-10 15:23 <REP> d-------- C:\Program Files\Google
2008-02-09 20:21 . 2007-02-14 15:20 868,298 --a------ C:\WINDOWS\system32\drivers\btkrnl.sys
2008-02-09 20:21 . 2007-02-14 15:20 530,861 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2008-02-09 20:21 . 2007-01-24 14:28 325,120 --a------ C:\WINDOWS\system32\accelerometercp.CPL
2008-02-09 20:21 . 2007-02-14 15:20 149,123 --a------ C:\WINDOWS\system32\drivers\btwdndis.sys
2008-02-09 20:21 . 2007-01-24 14:28 124,928 --a------ C:\WINDOWS\system32\accelerometerST.exe
2008-02-09 20:21 . 2007-02-14 15:20 47,907 --a------ C:\WINDOWS\system32\drivers\btwhid.sys
2008-02-09 20:21 . 2007-02-14 15:20 30,459 --a------ C:\WINDOWS\system32\drivers\btport.sys
2008-02-09 20:21 . 2007-01-05 16:42 7,680 --a------ C:\WINDOWS\system32\accelerometerdll.DLL
2008-02-09 20:21 . 2007-01-24 13:08 195 -r-hs---- C:\WINDOWS\system32\vssver2.scc
2008-02-09 20:20 . 2004-08-05 09:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-09 20:19 . 2008-02-09 20:19 <REP> d-------- C:\Program Files\Macrovision Corp
2008-02-09 20:19 . 2008-02-09 20:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-09 20:19 . 2002-11-22 02:57 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-02-09 20:19 . 2002-11-22 02:57 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-02-09 20:19 . 2002-11-22 02:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-02-09 20:19 . 2002-11-22 02:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 20:44 40,448 ----a-w C:\WINDOWS\system32\NTSpool.exe
2008-02-09 22:08 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-02-09 22:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 22:03 --------- d-----w C:\Program Files\Java
2008-02-09 19:23 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-09 19:22 --------- d-----w C:\Program Files\Intel
2008-02-09 19:19 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-02-09 19:18 1,810 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq 8710w (GC125EA#ABF)_YN_0U_QCND741069F_E441809051_46_I30C3_SHP_VKBC Version 73.2E_B68MAD Ver. F.03_T070903_WXP2_L40C_M2032_J120_7Intel_8Core2 Duo T7700_92.39_#080209_N80861049_(GC125EA#ABF).MRK
2008-02-09 15:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-09 15:46 --------- d-----w C:\Program Files\Synaptics
2008-02-09 15:46 --------- d-----w C:\Program Files\Services en ligne
2008-02-09 15:45 --------- d-----w C:\Program Files\Roxio
2008-02-09 15:45 --------- d-----w C:\Program Files\PDF Complete
2008-02-09 15:45 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-09 15:45 --------- d-----w C:\Program Files\HP
2008-02-09 15:10 --------- d-----w C:\Program Files\HPQ
2008-02-09 14:59 --------- d-----w C:\Program Files\Fingerprint Sensor
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\SureThing Shared
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\Sonic Shared
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\Roxio Shared
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\ODBC
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2008-02-09 14:58 --------- d-----w C:\Program Files\Fichiers communs\LightScribe
2008-02-09 14:57 --------- d-----w C:\Program Files\Fichiers communs\Java
2008-02-09 14:57 --------- d-----w C:\Program Files\CONEXANT
2008-02-09 14:57 --------- d-----w C:\Program Files\Analog Devices
2008-02-09 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\SBSI
2008-02-09 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-09 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-02-09 14:55 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\InstallShield
2008-02-09 14:55 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\hpqLog
2008-01-09 13:49 2,180 ----a-w C:\Program Files\config.inc.php
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-05-25 13:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2007-05-08 07:38 331552]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 12:18 472776]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 15:17 163840]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 18:12 17920]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-09 16:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-10-09 10:23 697976]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 10:52 57344]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyax]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
DeviceNP.dll 2007-04-30 07:19 49152 C:\WINDOWS\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-04-26 18:23]
R0 SbAlg;SbAlg;C:\WINDOWS\system32\drivers\SbAlg.sys [2006-10-09 12:31]
R0 SbFsLock;SbFsLock;C:\WINDOWS\system32\drivers\SbFsLock.sys [2007-03-29 15:54]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-04-26 18:23]
R2 ASChannel;Canal de communication local;C:\WINDOWS\System32\svchost.exe [2004-08-19 16:10]
R2 atchksrv;Intel® Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-04-10 14:10]
R2 HpFkCryptService;Drive Encryption Service;"c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [2007-04-27 09:58]
R2 LMS;Intel® Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-04-10 14:10]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2007-05-08 07:38]
R2 UNS;Intel® Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-04-10 14:10]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-23 21:13]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 rismc32;RICOH Smart Card Reader;C:\WINDOWS\system32\DRIVERS\rismc32.sys [2006-12-20 02:08]
S2 ASBroker;Courtier de session de connexion;C:\WINDOWS\System32\svchost.exe [2004-08-19 16:10]
S3 DAMDrv;DAMDrv;C:\WINDOWS\system32\DRIVERS\DAMDrv.sys [2007-04-23 12:13]
S3 FLCDLOCK;Verrouillage des périphériques / Audition HP ProtectTools;C:\WINDOWS\system32\flcdlock.exe [2007-04-30 07:28]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Fichiers communs\LightScribe\LSRunOnce.exe"
.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-02-12 14:10:04 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-10 15:56:56 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 15:10:21
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-12 15:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 14:13:02

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:09 PM

Posted 13 February 2008 - 08:01 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\NTSpool.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==============



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:09 PM

Posted 12 March 2008 - 06:55 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users