Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Very Infected.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Ramsez

Ramsez

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 18 September 2006 - 08:35 PM

Many spywares, malwares i guess. Spybot won'tf ix it, i've followed the sticky on SSK it didnt fix it.

Logfile of HijackThis v1.99.1
Scan saved at 21:32:01, on 2006-09-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\Downloaded Program Files\CONFLICT.16\UERSV_0001_N91S2108NetInstaller.exe
C:\Documents and Settings\Ichigo\Bureau\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\cihfpohg.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...eInstall_fr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://hamoudymomo.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B1B321-4B26-4814-AAE9-55D9B23822B6}: NameServer = 206.47.244.12 67.69.184.16
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\System32\jkkjh.dll
O20 - Winlogon Notify: rwgnvobo - C:\WINDOWS\SYSTEM32\rwgnvobo.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks a lot.
Ramz

Edited by Ramsez, 18 September 2006 - 09:52 PM.


BC AdBot (Login to Remove)

 


#2 Ramsez

Ramsez
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 18 September 2006 - 10:04 PM

It's getting worse i got this new "errorsafe" download prompt and many popups related to that first time i see these also.

Logfile of HijackThis v1.99.1
Scan saved at 23:02:57, on 2006-09-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ichigo\Bureau\hijackthis\kitty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\cihfpohg.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...eInstall_fr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://hamoudymomo.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B1B321-4B26-4814-AAE9-55D9B23822B6}: NameServer = 206.47.244.12 67.69.184.16
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\System32\jkkjh.dll
O20 - Winlogon Notify: rwgnvobo - C:\WINDOWS\SYSTEM32\rwgnvobo.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 19 September 2006 - 08:39 AM

Hello,

It is important you follow every step in the right order...

I notice that you do not seem to be running Antivirus softwar. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast are good FREE antivirus.

Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\System32\jkkjh.dll
  • Copy and paste next in the second field: C:\WINDOWS\SYSTEM32\rwgnvobo.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\cihfpohg.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...eInstall_fr.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\System32\jkkjh.dll
O20 - Winlogon Notify: rwgnvobo - C:\WINDOWS\SYSTEM32\rwgnvobo.dll
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't get fixed yet..

* Go to start > run and copy and paste next command in the field:

sc delete ServiceHost

Hit enter

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-
"DoNotAllowXPSP3"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"lmcompatibilitylevel"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the contents of C:\vundofix.txt.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Ramsez

Ramsez
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 22 September 2006 - 11:56 AM

There are the three logs,

Ichigo - 06-09-22 12:47:17,56 Service Pack 2
ComboFix 06.09.21 - Running from: "C:\Documents and Settings\Ichigo\Bureau"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{FAABC9DC-5E02-4E03-87A0-4E72C55A2506}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAABC9DC-5E02-4E03-87A0-4E72C55A2506}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAABC9DC-5E02-4E03-87A0-4E72C55A2506}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAABC9DC-5E02-4E03-87A0-4E72C55A2506}\InprocServer32]
@="C:\\WINDOWS\\system32\\puh.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\jtjs0717e.dll
C:\WINDOWS\system32\mvp6l97s1.dll
C:\WINDOWS\system32\pjflbmsg.dll


Granting sedebugprivilege to Administrateurs ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Ichigo\Application Data\Sskcwrd.dll
C:\Documents and Settings\Ichigo\Application Data\Sskknwrd.dll
C:\Documents and Settings\Ichigo\Application Data\Sskuknwrd.dll
C:\Program Files\surfsidekick 3\Ssk.exe
C:\Program Files\surfsidekick 3\SskBho.dll
C:\Program Files\surfsidekick 3\SskCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drsmartload1135a.exe
C:\dfndrff_e6.exe
C:\deskbar4.exe
C:\kybrdff_e6.exe
C:\WINDOWS\offun.exe
C:\Program Files\Fichiers communs\{6CA1E41F-05BA-3084-0727-050302270002}


((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))


2006-09-22 12:37 1,492 --a------ C:\WINDOWSvundofix.reg
2006-09-21 20:53 43,568 --a------ C:\WINDOWS\logon.exe
2006-09-21 19:48 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-09-18 21:22 86,068 --a------ C:\WINDOWS\system32\cihfpohg.dll
2006-09-18 21:22 188,436 --------- C:\WINDOWS\system32\rwgnvobo.dll
2006-09-18 00:39 666,864 -r-hs---- C:\WINDOWS\qnhgskgA.exe
2006-09-18 00:39 430,592 --a------ C:\912_121.exe
2006-09-18 00:39 215,308 --a------ C:\WINDOWS\srvqukmniy.exe
2006-09-18 00:39 163,840 --a------ C:\WINDOWS\ms069023182254.exe
2006-09-17 23:53 63,488 --a------ C:\WINDOWS\system32\Xinstall.exe
2006-09-17 23:53 20,480 --a------ C:\WINDOWS\system32\sprY.exe
2006-09-17 23:53 138,862 --a------ C:\WINDOWS\system32\alfa.exe
2006-09-17 20:15 131,604 --a------ C:\WINDOWS\system32\eieatxmy.dll
2006-09-05 18:57 131,604 --a------ C:\WINDOWS\system32\bujdfyxh.dll
2006-08-31 17:46 131,604 --a------ C:\WINDOWS\system32\onchtpyk.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-22 12:50 -------- d-------- C:\Program Files\Fichiers communs
2006-09-22 12:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-21 23:59 1488137 ---hs---- C:\WINDOWS\system32\hjkkj.bak2
2006-09-21 21:41 -------- d-------- C:\Program Files\Services en ligne
2006-09-21 19:48 -------- d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-09-21 18:51 -------- d-------- C:\Program Files\Warcraft III
2006-09-19 20:49 -------- d-------- C:\Program Files\Incomplete
2006-09-19 20:47 -------- d-------- C:\Program Files\LimeWire
2006-09-19 20:11 -------- d-------- C:\Program Files\PrintView
2006-09-19 00:31 -------- d-------- C:\Program Files\MSN Messenger
2006-09-18 22:35 1452974 ---hs---- C:\WINDOWS\system32\hjkkj.bak1
2006-09-18 11:44 -------- d-------- C:\Program Files\Fichiers communs\Microsoft Shared
2006-09-18 10:35 -------- d-------- C:\Program Files\PartyPoker.net
2006-09-18 10:34 -------- d-------- C:\Documents and Settings\Ichigo\Application Data\Lavasoft
2006-09-18 02:21 -------- d-------- C:\Program Files\XoftSpy
2006-09-18 01:57 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-18 00:39 517 --a------ C:\Program Files\Fichiers communs\megor
2006-09-18 00:39 -------- d-------- C:\Program Files\MSN
2006-09-16 07:06 -------- d-------- C:\Program Files\Winamp
2006-09-14 23:36 -------- d-------- C:\Documents and Settings\Ichigo\Application Data\Azureus
2006-09-14 19:58 -------- d-------- C:\Documents and Settings\Ichigo\Application Data\LimeWire
2006-09-06 10:47 -------- d-------- C:\Program Files\Webteh
2006-09-06 10:16 -------- d-------- C:\Program Files\Ares
2006-08-28 18:51 -------- d-------- C:\Program Files\Capture-A-ScreenShot
2006-08-21 11:49 -------- d-------- C:\Program Files\Teamspeak2
2006-08-21 08:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-13 02:05 -------- d-------- C:\Program Files\Internet Explorer
2006-08-05 01:32 -------- d-------- C:\Program Files\Google
2006-08-04 19:10 -------- d-------- C:\Documents and Settings\Ichigo\Application Data\Real
2006-08-04 18:57 -------- d-------- C:\Program Files\Fichiers communs\xing shared
2006-08-04 18:56 -------- d-------- C:\Program Files\Fichiers communs\Real
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 09:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:27 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 20:24 90112 --a------ C:\WINDOWS\system32\agsaami.dll
2006-07-14 20:24 610304 --a------ C:\WINDOWS\system32\agsaamg.dll
2006-07-14 20:24 372736 --a------ C:\WINDOWS\system32\agsaamc.dll
2006-07-14 20:24 35 --a------ C:\WINDOWS\system32\winitn.dll
2006-07-14 20:24 2535424 --a------ C:\WINDOWS\system32\agsaamj.dll
2006-07-14 20:24 1986560 --a------ C:\WINDOWS\system32\akll.dll
2006-07-14 20:24 196608 --a------ C:\WINDOWS\system32\maag.dll
2006-07-14 20:24 1245184 --a------ C:\WINDOWS\system32\bkll.dll
2006-07-14 20:24 1212416 --a------ C:\WINDOWS\system32\ckll.dll
2006-06-22 01:13 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-22 01:13 1440768 --a------ C:\WINDOWS\system32\query.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"WinLogon"="C:\\WINDOWS\\logon.exe"
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Services en ligne\\ponofuvyq.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN\\melec.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,3e,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Assistant Internet.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Assistant Internet.lnk"
"backup"="C:\\WINDOWS\\pss\\Assistant Internet.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ASSIST~1\\bin\\matcli.exe -boot"
"item"="Assistant Internet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e6"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_e6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_e6"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_e6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ASSIST~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms069023182254]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms069023182254"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms069023182254.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OM_Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FirstStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qnhgskgA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qnhgskgA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\qnhgskgA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ylt9076e]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w11c666f.dll,n 0049076a0000000a11c666f"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 2006-09-22 12:50:51.65
ComboFix.txt

--------------------------------------------------------------------------------------------------



VundoFix V6.1.5

Checking Java version...

Java version is 1.5.0.6

Scan started at 12:16:51 2006-09-22

Listing files found while scanning....

C:\WINDOWS\system32\igtkaixp.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\igtkaixp.exe
C:\WINDOWS\system32\igtkaixp.exe Has been deleted!

Attempting to delete C:\WINDOWS\System32\jkkjh.dll
C:\WINDOWS\System32\jkkjh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\rwgnvobo.dll
C:\WINDOWS\SYSTEM32\rwgnvobo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\jkkjh.dll
C:\WINDOWS\System32\jkkjh.dll Has been deleted!

Performing Repairs to the registry.
Done!

-------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:54:06, on 2006-09-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ichigo\Bureau\hijackthis\kitty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00001000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int22.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://hamoudymomo.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B1B321-4B26-4814-AAE9-55D9B23822B6}: NameServer = 206.47.244.12 67.69.184.16
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


thanks.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 22 September 2006 - 12:32 PM

Hello,

I see you were infected with the new MSN Worm. In this case, we have to remove your MSN Messenger.
You can reinstall it afterwards AFTER I say your computer is clean. Not before, because when not everything cleaned up properly, it will get reinfected again.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. Do not run it yet.
* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {00001000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int22.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Uninstall MSN messenger via controlpanel > software > add/remove programs.

* Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\MSN Messenger <== folder
C:\WINDOWS\logon.exe
C:\WINDOWS\system32\cihfpohg.dll
C:\WINDOWS\system32\rwgnvobo.dll
C:\WINDOWS\qnhgskgA.exe
C:\912_121.exe
C:\WINDOWS\srvqukmniy.exe
C:\WINDOWS\ms069023182254.exe
C:\WINDOWS\system32\Xinstall.exe
C:\WINDOWS\system32\sprY.exe
C:\WINDOWS\system32\alfa.exe
C:\WINDOWS\system32\eieatxmy.dll
C:\WINDOWS\system32\bujdfyxh.dll
C:\WINDOWS\system32\onchtpyk.dll
C:\Program Files\MSN\melec.html
C:\Program Files\Services en ligne\ponofuvyq.html
C:\WINDOWS\system32\hjkkj.bak2
C:\Program Files\PrintView <== folder
C:\WINDOWS\system32\hjkkj.bak1
C:\Program Files\PartyPoker.net <== folder if you didn't install this, but first look if it is present in software > add/remove programs and uninstall it. Then delete the folder if still present.

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")
Hit ok below > apply in previous window.

* Still in safe mode... * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Still in Safe Mode,
  • load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido.
* Reboot your system back to normal mode.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms069023182254]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qnhgskgA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ylt9076e]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Post the contents of the ewido-log present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Ramsez

Ramsez
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 22 September 2006 - 09:02 PM

I lost the Ewido Log, i tought i had saved it, i'm not sure if i did, and if i did i don't know where...Anyways here's the Hijack log


Logfile of HijackThis v1.99.1
Scan saved at 21:59:42, on 2006-09-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ichigo\Bureau\hijackthis\kitty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://hamoudymomo.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://fr.errorsafe.com/pages/scanner_fr/E...easeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B1B321-4B26-4814-AAE9-55D9B23822B6}: NameServer = 206.47.244.12 67.69.184.16
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thx.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 23 September 2006 - 12:32 AM

Hi,

Too bad you lost the Ewido log, because I really needed that one to see if it found all traces from this worm and removed it.
You're hijackthislog looks clean again, but I want to be sure that there aren't any leftovers present anymore.
Because the smallest leftover related with this worm can cause reinfection.

I know Kaspersky sees all traces, so let's run the Kaspersky online scan..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.

Edited by miekiemoes, 23 September 2006 - 12:33 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Ramsez

Ramsez
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 24 September 2006 - 09:14 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 24, 2006 10:11:21 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/09/2006
Kaspersky Anti-Virus database records: 212874
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 82880
Number of viruses found: 32
Number of infected objects: 65 / 0
Number of suspicious objects: 10
Duration of the scan process: 01:14:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/drsmartload849a849z.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/drsmartload46a46z.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/drsmartload45a45z.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/MTE3NDI6ODoxNgnew.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Ichigo\.housecall\Quarantine\BlackBox.class-4fbc14ee-293aba32.class.bac_a01216 Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ichigo\.housecall\Quarantine\Dummy.class-393d648-57c41d4b.class.bac_a01216 Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\Ichigo\.housecall\Quarantine\shost.exe.bac_a01216 Infected: Backdoor.Win32.SdBot.aig skipped
C:\Documents and Settings\Ichigo\.housecall\Quarantine\VerifierBug.class-488fe19e-350a66f7.class.bac_a01216 Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ichigo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ichigo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ichigo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ichigo\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ichigo\Local Settings\Historique\History.IE5\MSHist012006092420060925\index.dat Object is locked skipped
C:\Documents and Settings\Ichigo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ichigo\Mes documents\Ma musique\helm arabi 57.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Ichigo\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ichigo\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-09-23.09-17-47.log Object is locked skipped
C:\Program Files\Incomplete\Preview-T-304178-helm arabi 57.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP212\A0051430.sys Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073321.PIF Infected: Backdoor.Win32.MSNMaker.v skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073323.exe Infected: IM-Worm.Win32.VB.aj skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073324.PIF Infected: Backdoor.Win32.MSNMaker.v skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073326.exe Infected: Trojan-Dropper.Win32.PurityScan.ag skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073327.exe Infected: Trojan-Downloader.Win32.Adload.fo skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073337.exe Infected: IM-Worm.Win32.VB.aj skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073339.exe Infected: Trojan-Dropper.Win32.PurityScan.ag skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073340.exe Infected: Trojan-Downloader.Win32.Adload.fo skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073345.exe Infected: Trojan-Downloader.Win32.Adload.fg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP262\A0073346.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073412.rbf Infected: Backdoor.Win32.MSNMaker.v skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073442.exe Infected: Trojan-Downloader.Win32.Adload.fs skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073447.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073448.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073449.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073455.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073456.exe Infected: Trojan-Downloader.Win32.Adload.fk skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073457.exe Infected: Trojan-Downloader.Win32.Adload.l skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073458.exe Infected: Trojan-Downloader.Win32.Adload.l skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073459.exe Infected: Trojan-Downloader.Win32.Adload.fg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073462.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073467.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073471.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP264\A0073472.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076629.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076632.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076632.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076632.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076633.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076634.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076635.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076636.exe Infected: Trojan-Clicker.Win32.VB.is skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076638.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076639.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076640.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076641.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076642.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076643.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076644.sys Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076668.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076682.exe Infected: Trojan-Downloader.Win32.Adload.fo skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076683.exe Infected: Trojan.Win32.VB.asv skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076685.exe Infected: Trojan.Win32.VB.asu skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076825.exe Infected: Trojan-Downloader.Win32.VB.fi skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076826.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076828.exe Infected: Trojan-PSW.Win32.LdPinch.arr skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076829.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076829.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076829.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076829.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076831.exe Infected: Trojan-Dropper.Win32.PurityScan.ag skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076832.exe Infected: IM-Worm.Win32.VB.aj skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076843.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076844.exe Infected: Trojan-Downloader.Win32.Adload.fo skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076845.exe Infected: IM-Worm.Win32.VB.aj skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076846.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP268\A0076847.exe Infected: Trojan-Dropper.Win32.PurityScan.ag skipped
C:\System Volume Information\_restore{8F5D76FA-6498-45C5-B4C8-16BA99094D6D}\RP270\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\CRUXIS-9U6A54TZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd0125.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT06eca.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 24 September 2006 - 09:23 AM

Hello,

Most of what was found are in your System Restore Points. we'll deal with that afterwards.

Delete next files first:

C:\Documents and Settings\Ichigo\.housecall\Quarantine <== empty the contents of this folder
C:\Documents and Settings\Ichigo\Mes documents\Ma musique\helm arabi 57.wma
C:\Program Files\Incomplete\Preview-T-304178-helm arabi 57.wma
C:\WINDOWS\system32\i

Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :thumbsup:

Let me know in your next reply how things are running now. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Ramsez

Ramsez
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 24 September 2006 - 02:37 PM

Everything is fine, can i reinstall msn now?
well wlm...since msn just disapeared :thumbsup:

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 24 September 2006 - 02:56 PM

Yes, reinstall MSN now... and don't click links you don't know in it, because that's how you got infected.
When a friend sends a link to click, ask him what it is and if he is aware he sent it. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Ramsez

Ramsez
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 25 September 2006 - 06:38 PM

I'll do so, thanks a lot for your help. I really appreciate!!
You're very kind! I'll see you around!
bye bye!!
=)

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 26 September 2006 - 12:15 AM

You're welcome. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users