Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware Malware : Ultimate Cleaner ?


  • Please log in to reply
14 replies to this topic

#1 millot

millot

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 18 October 2006 - 08:47 AM

I was supposed to be protected by Spyware Doctor (Pc tools)
Suddenly a pop up window had open warning me about corrupted register.
That window use the microsoft colors and style.
I clicked to accept that proposal... and got an internet page proposal to buy an unknown antivirus program.
I realised my mistake and then tried to run a scan with Spyware Doctor, but it keeps freezing at mid work.
So I run <ATF Cleaner><Ad-aware SE><AVG Anti-Spyware><a-squared><Spybot > and <online Trend-Housecall>.... they did find an "clean" several Trojans, Malwares and nasty cookies.
But it was impossible to process online Panda activescan (freezing at first registration window),
and now even Trend-Housecall shows an error message.
I also tried to install a Norton AV cd and installation fail !!!
I downloaded and installed the last version of Spyware Doctor (Pc tools) to replace my corrupted one but now it refuses to run at all. even with my Agnitum Outpost Firewall disabled.

Anyway the scams warning are still poping when I open Internet Explorer.
A name is displayed on one of it : "Ultimate Defender"
An unwanted sub-directory has been added into Program Filesm named: "Ultimate Cleaner"

Names of removed spywares :
PSGuard, Alexa, AzeSearch, CoolWWWsearch, NoAdware, Smithfraud-c, SpySheriff, Teslaplus.com, Tibs.mc, TNS-search, Java-Byserver.ac, Renos.iu, Troy-Dosky.

Thank for help
Eric

----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:18:12 PM, on 10/15/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Micro Application\SuperZip\ZTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
C:\WINNT\Dit.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\Desktop\TOOLS\anti-spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {573C0B21-EFA5-58FA-24F5-06F6187D3C98} - C:\WINNT\System32\tvxgnyb.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ZGTray] C:\Program Files\Micro Application\SuperZip\ZTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wpdhwwh.dll] C:\WINNT\System32\rundll32.exe C:\WINNT\System32\wpdhwwh.dll,pdfqqh
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 19 October 2006 - 05:40 PM

It is useless to try and clean your system until you get Sp4

http://www.microsoft.com/windows2000/downl...p4/default.mspx

Edited by MFDnSC, 19 October 2006 - 05:40 PM.

"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 October 2006 - 07:32 AM

Dear MFDnSC,
I did download SP4 from microsoft, but several attempt of instalation had all failled.
Error message says : "The system cannot find the file specified"
I also tried the proposed Express instalation with same result.

Same story while trying to install Avast-antivirus or bifender.

My only recent success was to (at last!) be able to run a full online scan with Trend-Housecall.
But this one found no virus nothing to warry about according to him.

I am sure the malware file is controling those problems.

So whwt could be my next step ?

Regards

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 October 2006 - 08:34 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {573C0B21-EFA5-58FA-24F5-06F6187D3C98} - C:\WINNT\System32\tvxgnyb.dll

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [wpdhwwh.dll] C:\WINNT\System32\rundll32.exe C:\WINNT\System32\wpdhwwh.dll,pdfqqh

O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)

O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
=========
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Firebird Guardian Service

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.


Repeat for - Firebird Server
========
DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\System32\tvxgnyb.dll
C:\WINNT\System32\wpdhwwh.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 October 2006 - 12:25 PM

For sure C:\WINNT\System32\tvxgnyb.dll
and
[wpdhwwh.dll] C:\WINNT\System32\rundll32.exe C:\WINNT\System32\wpdhwwh.dll,pdfqqh
are nasty files because totaly unknown on internet !

O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
..... remains after I had uninstall that program more than a year ago.

but
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
should be my IBM ThinPad PC explanation tour ... ?
I have a dedicated key on my board.
Can I keep this one for now ?

I did print your technical rules and will run them tonight because I have to go out now.

You will see my results this night or tomorrrow Saturday morning.

regards
Eric

#6 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 October 2006 - 01:58 PM

Finally I came back earlier.
I run everything as said.
Only a small difference on "Services Status" the "Stop" button was unavailable because said already "stopped". So I still apply and "ok" for the 2 "Firebird" files .

Then I tried to install SP4 from microsoft, but same result as yersterday:
Error message says : Extraction failed "The system cannot find the file specified".
The missing file seems to be c:\i386\update\update.exe

Then Avast-antivirus installation failed also.

I Also tried to run my already installed "Spyware Doctor" but it did'nt start.


So I can understand that I am not saved as yet.

Regards

------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:34:48 PM, on 10/20/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Micro Application\SuperZip\ZTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
C:\WINNT\Dit.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HijackThis\HiScanjackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {573C0B21-EFA5-58FA-24F5-06F6187D3C98} - C:\WINNT\System32\tvxgnyb.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ZGTray] C:\Program Files\Micro Application\SuperZip\ZTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wpdhwwh.dll] C:\WINNT\System32\rundll32.exe C:\WINNT\System32\wpdhwwh.dll,pdfqqh
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#7 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 October 2006 - 02:17 PM

I see that :
O2 - BHO: (no name) - {573C0B21-EFA5-58FA-24F5-06F6187D3C98} - C:\WINNT\System32\tvxgnyb.dll

O4 - HKLM\..\Run: [wpdhwwh.dll] C:\WINNT\System32\rundll32.exe C:\WINNT\System32\wpdhwwh.dll,pdfqqh

O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)

...... are still there !!!! how come ?
Do I have to do it again ?
While using Hijackthis I was not in "safe mode" because you request that only after downloading KillBox.exe.
Is that a possibility that erasing had failed ?

I wait for your advice ...

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 October 2006 - 03:05 PM

Do my instructions again - disable MS Antispy's realtime protection

That program is outdated also get Defender

MS Windows Defender - http://www.microsoft.com/downloads/details...;displaylang=en (XP and W2K only)
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 21 October 2006 - 03:52 PM

Hi,
Now my PC improoved a lot !
- Aparently there is no more "unfare Pop-up" of false warnings when I surf internet.
- PC runs fast.
- Openning several windows together is OK again.

But I still have the following problems:
- Fail to install "Microsoft SP4" (online or not)
- Fail to install "Avast anti-virus"
- Fail to re-install "Spyware Doctor"
- Fail to run online "Trend virus scanner" (Problem with my ActiveX ?)
- Fail to run online "Panda virus scanner" (Problem with my ActiveX ?)
- Fail to run "PC-Doctor for window"

On my Firewall report I can see that on "DNS cache" there are calls to unwanted URL.

I have "ewido anti-spyware", do I need "MS window Defender" too ?

See below my Log reports:
- Report Number 1 = HijackThis
- Report Number 2 = StartupList
- Report Number 3 = SmitFraudFix (under safe mode)

So what to do now ?

Regards

==================================================
Report Number 1 = HijackThis
==================================================
Logfile of HijackThis v1.99.1
Scan saved at 3:42:04 PM, on 10/21/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Micro Application\SuperZip\ZTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
C:\WINNT\Dit.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HijackThis\HiScanjackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ZGTray] C:\Program Files\Micro Application\SuperZip\ZTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe



-------------------------------------------------
Those one noted below look abnormal isn't it ?
-------------------------------------------------
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)



==================================================
Report Number 2 = StartupList
==================================================

StartupList report, 10/21/2006, 3:06:49 PM
StartupList version: 1.52
Started from : C:\HijackThis\StartupList.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Micro Application\SuperZip\ZTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
C:\WINNT\Dit.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\HijackThis\HiScanjackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HijackThis\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TrackPointSrv = tp4serv.exe
LTWinModem1 = ltmsg.exe 9
SoundFusion = RunDll32 cwcprops.cpl,CrystalControlWnd
tourpath = regedit /s c:\winnt\tour.reg
Synchronization Manager = mobsync.exe /logon
TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
TpHotkey = C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
PRPCMonitor = PRPCUI.exe
ZGTray = C:\Program Files\Micro Application\SuperZip\ZTray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Ulead AutoDetector = C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
Dit = Dit.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
WG511WLU = C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
Outpost Firewall = C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
Gadwin PrintScreen 2.6 = C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - (no file) - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Spybot - Search & Destroy - Scheduled Task.job

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/d/4...0367/wmavax.CAB

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?LinkID=39204

[Trend Micro ActiveX Scan Agent 6.5]
InProcServer32 = C:\WINNT\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,979 bytes
Report generated in 0.050 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


==================================================
Report Number 3 = SmitFraudFix
==================================================
SmitFraudFix v2.110

Scan done at 15:31:51.09, Sat 10/21/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 21 October 2006 - 04:18 PM

No those are OK - log looks good

BUT!!

You have no active AntiVirus!

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 22 October 2006 - 04:48 AM

I Know I don't have a real antiVirus
I just run "Ewido-spyware" former name of the actual "AVG 7"

As I told you, since I got hit by a malware few days ago,
my PC don't accept any final downloading process.
An error message says something like "Unable to find file specifided".

- Fail to install "Microsoft SP4" (online or not)
- Fail to install "Avast anti-virus"
- Fail to re-install "Spyware Doctor"
- Fail to run online "Trend virus scanner" (is it an ActiveX ?)
- Fail to run online "Panda virus scanner" (is it an ActiveX ?)
- Fail to run "PC-Doctor for window"

There must be some wrong setting somewhere on my PC !
- is it a forbiden access ?
- is it a missing file ?

I have no clue to this question.
Do you have any idea ?

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 22 October 2006 - 09:20 AM

Ewido was bought by AVG so it is now AVG AS 7.5 - not to be confused with the AVG AntiVirus product that I linked

Do you have your W2K CD - start - run - sfc /scannow
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 23 October 2006 - 11:37 AM

Hi again,
To solve my downloading problem I decided to use my "configsafe" to restore the system to prior the infection.
It works nice so I was able to install:
- SP 4 (microsoft)
- Avast antivirus
- A-Squared (anti trojan)

When I run Avast. It found the virus "PSKAVS.DLL" but this is not a virus, it is a file related to PANDA active scan.
To be sure I run 3 other online antivirus : Trend, Panda, Karpesky.
..... Karpesky found "dumphive.exe" but again this is not a virus, it is one of the files to run "SmithfraudFix".

So now, please check the report below to proceed to a final cleaning.

Regards,

Eric

-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:09:05 PM, on 10/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Micro Application\SuperZip\ZTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
C:\WINNT\Dit.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\DitExp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Administrator\Desktop\anti-spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ZGTray] C:\Program Files\Micro Application\SuperZip\ZTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 October 2006 - 11:05 AM

looks fine
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 millot

millot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 October 2006 - 12:56 PM

OK then,
many thanks for your help.

Eric




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users