Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Won't Display Security Related Pages


  • This topic is locked This topic is locked
13 replies to this topic

#1 sopolo

sopolo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 14 November 2005 - 05:47 AM

Hello,
I'm blocked from going to security pages like spybot, merjin etc...
I finally managed to download a Hijack this software through a third party and got the following log.
I realized I had a problem when I figured out spybot updates didn't work anymore.
I have currently:
spybot
antivir build 1114 / control 6.32.00.2 / guard 6.32.00.12 /
sygate personal firewall
Antivir still updates but sometimes displays strange versions numbers during updates.
Firewall seems to behave normally.
I didn't notice any other problem.

As I'm far to be an expert I would greatly appreciate some help on what to fix with Hijack This before restarting a whole check as you explain it in your "read this" topic. Thank you very much for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:11:29, on 14/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\video\quicktime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\saperlipopette\Bureau\Progra\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\video\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mfc42fra] C:\WINDOWS\System32\mfc42fra.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://login.caramail.lycos.fr
O15 - Trusted Zone: http://www.caramail.lycos.fr
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06d959cee126bb...RdxIE601_fr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.misterclic.fr/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D68FF30-C890-4678-A199-A9EDE0D68959}: NameServer = 80.118.196.42 80.118.192.112
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: System Event (WksPatch) - Unknown owner - C:\WINDOWS\System32\drivers\svchost.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 14 November 2005 - 06:12 AM

Hi and :thumbsup:
  • Please download hoster from the link below.
    http://www.funkytoad.com/download/hoster.zip
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
  • Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given
David

#3 sopolo

sopolo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 14 November 2005 - 06:35 AM

Hi and :thumbsup:

  • Please download hoster from the link below.
    http://www.funkytoad.com/download/hoster.zip
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
  • Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given
David



Thank you D-Trojanator,
Here is my Hijack This Log after I did what you suggested:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:14, on 14/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\video\quicktime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\saperlipopette\Bureau\Progra\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\video\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mfc42fra] C:\WINDOWS\System32\mfc42fra.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://login.caramail.lycos.fr
O15 - Trusted Zone: http://www.caramail.lycos.fr
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06d959cee126bb...RdxIE601_fr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.misterclic.fr/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D68FF30-C890-4678-A199-A9EDE0D68959}: NameServer = 80.118.196.40 80.118.192.110
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: System Event (WksPatch) - Unknown owner - C:\WINDOWS\System32\drivers\svchost.exe (file missing)

:flowers:

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 14 November 2005 - 01:24 PM

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :thumbsup:
David

#5 sopolo

sopolo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 14 November 2005 - 06:27 PM

Please download ewido security suite it is a free version of the program.

  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :thumbsup:
David



Thank you David,
I went through the whole process in the "read this" section before I received your answer:



-Ad aware: 72 entries deleted:
ArchiveData(auto-quarantine- 2005-11-14 18-03-13.bckp)
Referencefile : SE1R74 09.11.2005
======================================================

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=RegData : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\windows\currentversion\policies\explorer "NoToolbarCustomize"
obj[1]=RegData : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\windows\currentversion\policies\explorer "NoBandCustomize"
obj[2]=RegData : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\windows\currentversion\policies\explorer "SpecifyDefaultButtons"
obj[3]=RegData : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\windows\currentversion\policies\explorer "Btn_Search"
obj[4]=RegData : S-1-5-21-839522115-1078081533-2146989891-1003\software\policies\microsoft\internet explorer\control panel "Homepage"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=IECache Entry : Cookie:saperlipopette@atdmt.com/

ISEARCH TOOLBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "toolbar_version"
obj[7]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "ToolbarIsFailed"
obj[8]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "corruptedMsg"
obj[9]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "uninstallMsg"
obj[10]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "updateMsg"
obj[11]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "autoUpdateMsg"
obj[12]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "versionError"
obj[13]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "connectionError"
obj[14]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "lastVersionMsg"
obj[15]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "contextMenuItemName"
obj[16]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "closeAllWindowsForUpdate"
obj[17]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "PopStop"
obj[18]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "firstURL"
obj[19]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "urlAfterUpdate"
obj[20]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "serverpath"
obj[21]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "updateUrl"
obj[22]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "urlAfterUninstall"
obj[23]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "contextSearch"
obj[24]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "OpenNew"
obj[25]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "AutoComplete"
obj[26]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "KeepHistory"
obj[27]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "RunSearchAutomatically"
obj[28]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "RunSearchDragAutomatically"
obj[29]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "DescriptiveText"
obj[30]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "ShowHighlightButton"
obj[31]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "ShowFindButtons"
obj[32]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "UpdateAutomatically"
obj[33]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "EditWidthcombo1"
obj[34]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar ""
obj[35]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "autoSearch"
obj[36]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "init"
obj[37]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "user_id"
obj[38]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "blockPopups"
obj[39]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "Scope"
obj[40]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "j_version"
obj[41]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar "patch_version"
obj[63]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\internet explorer\toolbar\webbrowser "{1C78AB3F-A857-482E-80C0-3A1E5238A565}"
obj[64]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\internet explorer\urlsearchhooks "{1C78AB3F-A857-482e-80C0-3A1E5238A565}"
obj[65]=RegValue : software\microsoft\internet explorer\toolbar "{1C78AB3F-A857-482E-80C0-3A1E5238A565}"
obj[66]=Regkey : isearch.object.1
obj[67]=Regkey : S-1-5-21-839522115-1078081533-2146989891-1003\software\isearch\isearch toolbar

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[42]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[43]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[44]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[45]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[46]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[47]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[60]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[61]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[62]=RegValue : S-1-5-21-839522115-1078081533-2146989891-1003\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[68]=Regkey : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

WIN32.WELCHIA.B
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[48]=RegValue : system\controlset001\services\wkspatch "Start"
obj[49]=RegValue : system\controlset001\services\wkspatch "ErrorControl"
obj[50]=RegValue : system\controlset001\services\wkspatch "ImagePath"
obj[51]=RegValue : system\controlset001\services\wkspatch "DisplayName"
obj[52]=RegValue : system\controlset001\services\wkspatch "ObjectName"
obj[53]=RegValue : system\controlset001\services\wkspatch "Description"
obj[54]=RegValue : system\currentcontrolset\services\wkspatch "Start"
obj[55]=RegValue : system\currentcontrolset\services\wkspatch "ErrorControl"
obj[56]=RegValue : system\currentcontrolset\services\wkspatch "ImagePath"
obj[57]=RegValue : system\currentcontrolset\services\wkspatch "DisplayName"
obj[58]=RegValue : system\currentcontrolset\services\wkspatch "ObjectName"
obj[59]=RegValue : system\currentcontrolset\services\wkspatch "Description"
obj[70]=Regkey : system\controlset001\services\wkspatch
obj[71]=Regkey : system\currentcontrolset\services\wkspatch

STATBLASTER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[69]=Regkey : software\wildmedia\licensestores





-spybot: removed Realdowloadexpress


-virus checks + Stinger: no results




I then got your message and used ewido with the following result:


---------------------------------------------------------
ewido security suite - Rapport de scan
---------------------------------------------------------

+ Créé le: 23:34:58, 14/11/2005
+ Somme de contrôle: DC6F10BC

+ Résultats du scan:

HKLM\SOFTWARE\WildMedia -> Spyware.MidAddle : Nettoyer et sauvegarder
C:\Documents and Settings\saperlipopette\Cookies\saperlipopette@com[2].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
C:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Nettoyer et sauvegarder


::Fin du rapport


And finally my HJT log:

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 23:45:27, on 14/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\video\quicktime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Securite\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\saperlipopette\Bureau\Progra\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\video\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mfc42fra] C:\WINDOWS\System32\mfc42fra.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://login.caramail.lycos.fr
O15 - Trusted Zone: http://www.caramail.lycos.fr
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d959cee126bb...RdxIE601_fr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.misterclic.fr/XUpload.ocx
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Securite\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe




I feel much lighter now :flowers:
but the worse is i was really thinking my computer was safe :trumpet:
Thank you so much David for your help. I really appreciate.
Do you thnk I'm Ok now?


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 15 November 2005 - 11:30 AM

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\WINDOWS\System32\mfc42fra.exe
Click Open
Please let me know the results.
David

#7 sopolo

sopolo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 15 November 2005 - 07:25 PM

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\WINDOWS\System32\mfc42fra.exe
Click Open
Please let me know the results.
David



Thank you David,

I couldn't find any MFC42FRA.EXE
not even in hidden files, nor with 'known extensions hiding' disabled, nor with a file search in the Windows folder. :thumbsup: me go get glasses

I only have a MFC42FRA.DLL
which gave the following results on Virusscan.jotti.org (impressing tool!) :


File: MFC42FRA.DLL
Status: OK
MD5 2841592c019a4a8a753d4ad36465b3c1
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


I don't know what MFC42FRA.DLL is about, but my computer is set for French language (FRA).

Thanks again

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 16 November 2005 - 12:09 PM

Can i have a new HJT log
David

#9 sopolo

sopolo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 16 November 2005 - 03:36 PM

Here it is David:

Logfile of HijackThis v1.99.1
Scan saved at 21:27:23, on 16/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Securite\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\video\quicktime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\saperlipopette\Bureau\Progra\Securite\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\video\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mfc42fra] C:\WINDOWS\System32\mfc42fra.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://login.caramail.lycos.fr
O15 - Trusted Zone: http://www.caramail.lycos.fr
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d959cee126bb...RdxIE601_fr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.misterclic.fr/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D68FF30-C890-4678-A199-A9EDE0D68959}: NameServer = 80.118.192.100 80.118.196.36
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Securite\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 17 November 2005 - 01:09 PM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [mfc42fra] C:\WINDOWS\System32\mfc42fra.exe

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\mfc42fra.exe
_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David

#11 sopolo

sopolo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 17 November 2005 - 06:37 PM

Thank you David,

I did it all.

Killbox couldn't find the C:\WINDOWS\System32\mfc42fra.exe file
(result: file does not seem to exist)

but the double Temp file cleanup seems to have been efficient.
:thumbsup: ---These two are gone:
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [mfc42fra] C:\WINDOWS\System32\mfc42fra.exe
------------------------------------------------------------------------------------

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:07:33, on 18/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\video\quicktime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Securite\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\saperlipopette\Bureau\Progra\Securite\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\video\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Net\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://login.caramail.lycos.fr
O15 - Trusted Zone: http://www.caramail.lycos.fr
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06d959cee126bb...RdxIE601_fr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.misterclic.fr/XUpload.ocx
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Securite\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


Thanks again

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 19 November 2005 - 07:56 AM

I'll tell you one thing - you're looking CLEAN! :thumbsup:

How's everything running? :up: or :down: ?

David

#13 sopolo

sopolo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 19 November 2005 - 11:00 AM

Yiiiiihhhhaaaaaaaaaaaaa !!!!!!!!!! :thumbsup:

This is fantastic David. Everything is running smooth and noticeably faster than before.

And the big plus is I have lost this uncomfortable feeling that something was wrong -and unsafe- with my computer.

I'll keep using ad-aware and spybot regularly.

Thank you very much David. I really appreciate.

I'll be glad to encourage you for being so serviceable and will use the front page donation system.

This is a great website and I will recommend it around me.

Thanks again. :flowers:

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:02 PM

Posted 19 November 2005 - 11:04 AM

Ok! :thumbsup:

Thanx for the donation - it will go to the running of the site! :flowers:

David :trumpet:

Due to the fact that this topic has thankfully been resolved, I will close this thread. :inlove:

If you want to thread to be re-opened at any point ? please PM me or any other staff with a link to it!

If anyone else is reading this with a similar problem that you would like help with, please post it in a new thread in the security section!


:cool: David :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users