Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
11 replies to this topic

#1 rabuchon

rabuchon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 03 June 2007 - 10:02 PM

hi
thanks for your help

ogfile of HijackThis v1.99.1
Scan saved at 22:44:36, on 03/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer soft button\wsbklite.exe
C:\Program Files\Acer soft button\SB.exe
C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\3CX PhoneSystem\Bin\3CXMediaServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\zuxoxiba.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WengoPhone\qtwengophone.exe
C:\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe
C:\Program Files\3CX PhoneSystem\Bin\3CXVBMServer.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Infoserv\Apache2\bin\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\3CX PhoneSystem\Bin\3CXPhoneSystem.exe
C:\Infoserv\Apache2\bin\Apache.exe
C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\?ymantec\?poolsv.exe
D:\telechargés\hijackthis\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {99051B6D-D1DE-DC52-D906-FEADDFE82790} - C:\WINDOWS\system32\vfzdi.dll
O2 - BHO: (no name) - {A2339A9B-D1F4-4084-9EEE-B9F5CB487527} - C:\WINDOWS\system32\awtutuv.dll (file missing)
O2 - BHO: (no name) - {B3A23890-DE66-4A13-BD54-ED5B62FDC04B} - C:\WINDOWS\system32\ssttq.dll (file missing)
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Fichiers communs\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"
O4 - HKLM\..\Run: [Software Button] "C:\Program Files\Acer soft button\SB.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zuxoxiba.exe] C:\Documents and Settings\All Users\Application Data\zuxoxiba.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvbic.dll,startup
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChkMail] èn?
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WengoPhoneNG] C:\Program Files\WengoPhone\qtwengophone.exe -b
O4 - HKCU\..\Run: [Oeer] "C:\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Esemkryh] "C:\Program Files\?ymantec\?poolsv.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://10.10.10.253/bl_camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dx8.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Fichiers communs\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: winohw32 - C:\WINDOWS\SYSTEM32\winohw32.dll
O20 - Winlogon Notify: xxyyyvs - C:\WINDOWS\SYSTEM32\xxyyyvs.dll
O23 - Service: 3CX PhoneSystem - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXPhoneSystem.exe
O23 - Service: 3CX PhoneSystem Database Server - PostgreSQL Global Development Group - C:/Program Files/3CX PhoneSystem/Bin/Pgsql/bin/pg_ctl.exe
O23 - Service: 3CX PhoneSystem Media Server - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXMediaServer.exe
O23 - Service: 3CX PhoneSystem IVR (3CXIvr) - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXIVRServer.exe
O23 - Service: 3CX PhoneSystem Web Server (3CXPhoneSystemWebServer) - Unknown owner - C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: 3CX PhoneSystem VoiceBox Manager (3CXVBoxMgr) - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXVBMServer.exe
O23 - Service: Apache2 - Unknown owner - C:\Infoserv\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client32 - Unknown owner - C:\PCDUO\client32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 04 June 2007 - 02:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum rabuchon :thumbsup:

My name is Richie and i'll be helping you to fix your problems.



Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 rabuchon

rabuchon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 04 June 2007 - 07:51 AM

hi ritchie,
thank you very mutch for your help
my name is herve from martinique french west indies

below the reports

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 18:51:44 03/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtutuv.dll
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\ssttq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtutuv.dll
C:\WINDOWS\system32\awtutuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 21:44:17 03/06/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 07:47:09 2007-06-04

Listing files found while scanning....

C:\WINDOWS\system32\fggndevm.ini
C:\WINDOWS\system32\mvednggf.dll
C:\WINDOWS\system32\nmnpo.bak1
C:\WINDOWS\system32\nmnpo.ini
C:\WINDOWS\system32\opnmn.dll
C:\WINDOWS\system32\vevgfbds.dll
C:\WINDOWS\system32\xxyyyvs.dll
C:\WINDOWS\system32\ylhwgpop.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fggndevm.ini
C:\WINDOWS\system32\fggndevm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mvednggf.dll
C:\WINDOWS\system32\mvednggf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nmnpo.bak1
C:\WINDOWS\system32\nmnpo.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nmnpo.ini
C:\WINDOWS\system32\nmnpo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmn.dll
C:\WINDOWS\system32\opnmn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vevgfbds.dll
C:\WINDOWS\system32\vevgfbds.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyyyvs.dll
C:\WINDOWS\system32\xxyyyvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ylhwgpop.dll
C:\WINDOWS\system32\ylhwgpop.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 08:11:50 2007-06-04

Listing files found while scanning....

No infected files were found.

ComboFix-quarantined-files



2007-01-12 16:00	  18031	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-05-01 11:35	  146432	--a------	C:\Qoobox\Quarantine\C\Program Files\Fichiers communs\Yazzle1162OinAdmin.exe.vir
2007-05-21 10:00	  228864	---------	C:\Qoobox\Quarantine\C\Program Files\YMANTE~1\?poolsv.exe
2007-06-02 23:44	  19456	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\winohw32.dll.vir
2007-06-02 23:46	  19456	--a------	C:\Qoobox\Quarantine\C\WINDOWS\avp.exe.vir
2007-06-02 23:46	  72704	---------	C:\Qoobox\Quarantine\C\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe
2007-06-03 01:33	  13444	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\a3dx8.dll.vir
2007-06-03 11:49	  11776	--a------	C:\Qoobox\Quarantine\C\WINDOWS\smgr.exe.vir
2007-06-03 22:39	  101	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\mit.bat.vir
2007-06-03 22:39	  22	--a------	C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-03 22:39	  40183	--a------	C:\Qoobox\Quarantine\C\Program Files\Fichiers communs\Yazzle1162OinUninstaller.exe.vir
2007-06-03 22:40	  2	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wnscpicomsv32.exe.vir
2007-06-04 08:19	  200	--a------	C:\Qoobox\Quarantine\Registry_backups\services_xpdx.reg.cf


Structure du dossier pour le volume ACER
Le num‚ro de s‚rie du volume est 2629-16F0
C:\QOOBOX
\---Quarantine
	+---Registry_backups
	|	   services_xpdx.reg.cf
	|	   
	\---C
		+---Program Files
		|   +---Fichiers communs
		|   |	   Yazzle1162OinAdmin.exe.vir
		|   |	   Yazzle1162OinUninstaller.exe.vir
		|   |	   
		|   +---Outerinfo
		|   |	   Terms.rtf.vir
		|   |	   
		|   \---YMANTE~1
		|		   ?poolsv.exe
		|		   
		+---WINDOWS
		|   |   avp.exe.vir
		|   |   smgr.exe.vir
		|   |   wr.txt.vir
		|   |   
		|   \---system32
		|		   wnscpicomsv32.exe.vir
		|		   mit.bat.vir
		|		   winohw32.dll.vir
		|		   a3dx8.dll.vir
		|		   
		\---DOCUME~1
			\---rv
				\---APPLIC~1
					\---CROSOF~1
						|   msiexec.exe
						|   
						\---??crosoft


have a goog day

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 04 June 2007 - 08:02 AM

Hello there herve :thumbsup:

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#5 rabuchon

rabuchon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 04 June 2007 - 11:06 AM

below the new report

"rv" - 2007-06-04 11:40:38 Service Pack 2
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\rv\Bureau\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\qljuybeb.dll
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\retadpu1000272.exe


((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))


2007-06-04 08:36 131,124 --a------ C:\WINDOWS\system32\txjfjosp.dll
2007-06-04 08:33 2,580 --a------ C:\WINDOWS\system32\gbjlcmkf.exe
2007-06-04 08:22 <REP> d-------- C:\Avenger
2007-06-04 08:16 33,302 --a------ C:\WINDOWS\system32\hgggddd.dll
2007-06-03 22:55 2,580 --a------ C:\WINDOWS\system32\xffteyac.exe
2007-06-03 22:40 60,928 --a------ C:\WINDOWS\system32\vfzdi.dll
2007-06-03 22:39 93,696 --a------ C:\WINDOWS\system32\drvbic.dll
2007-06-03 18:51 <REP> d-------- C:\VundoFix Backups
2007-06-03 17:11 <REP> d--hs---- C:\WINDOWS\CSC
2007-06-03 17:07 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-03 10:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-03 10:20 <REP> d-------- C:\Program Files\CCleaner
2007-06-03 03:30 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-03 02:52 <REP> d-------- C:\Program Files\Lavasoft
2007-06-03 02:52 <REP> d-------- C:\DOCUME~1\rv\APPLIC~1\Lavasoft
2007-06-03 01:38 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-03 01:36 <REP> d-------- C:\Program Files\Ultimate Fixer
2007-06-03 00:31 <REP> d-------- C:\DOCUME~1\rv\APPLIC~1\ArchosLink
2007-06-03 00:30 <REP> d-------- C:\Program Files\Archos
2007-06-02 23:46 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\zuxoxiba.exe
2007-06-02 23:46 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-05-31 02:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-30 07:06 <REP> d-------- C:\Program Files\Fichiers communs\Intel
2007-05-13 00:07 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-05-13 00:06 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-05-13 00:06 44,304 --a------ C:\WINDOWS\system32\msrpfs35.dll
2007-05-13 00:06 415,504 --a------ C:\WINDOWS\system32\msrepl35.dll
2007-05-13 00:06 39,424 --a------ C:\WINDOWS\system32\JETCOMP.exe
2007-05-13 00:06 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL
2007-05-13 00:06 344,064 --a------ C:\WINDOWS\system32\msexch35.dll
2007-05-13 00:06 294,912 --a------ C:\WINDOWS\system32\msxbse35.dll
2007-05-13 00:06 262,144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-05-13 00:06 252,688 --a------ C:\WINDOWS\system32\msexcl35.dll
2007-05-13 00:06 250,128 --a------ C:\WINDOWS\system32\mspdox35.dll
2007-05-13 00:06 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
2007-05-13 00:06 232,448 --a------ C:\WINDOWS\system32\HDK3CT32.DLL
2007-05-13 00:06 215,040 --a------ C:\WINDOWS\system32\HDK3CTNT.DLL
2007-05-13 00:06 168,720 --a------ C:\WINDOWS\system32\msltus35.dll
2007-05-13 00:06 166,672 --a------ C:\WINDOWS\system32\mstext35.dll
2007-05-13 00:06 123,664 --a------ C:\WINDOWS\system32\msjint35.dll
2007-05-13 00:06 1,238,288 --a------ C:\WINDOWS\system32\msjt4jlt.dll
2007-05-13 00:06 1,050,896 --a------ C:\WINDOWS\system32\msjet35.dll
2007-05-13 00:06 <REP> d-------- C:\Program Files\Sony Ericsson
2007-05-13 00:06 <REP> d-------- C:\Program Files\Intuwave Ltd
2007-05-11 11:27 <REP> d-------- C:\WINDOWS\system32\LogFiles


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 15:45:10 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-05-31 20:49:14 73,004 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-05-31 20:49:14 463,644 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-02 19:15:10 -------- d-----w C:\Program Files\QuickTime
2007-04-23 00:15:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:36 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:34 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:32 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:32 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:32 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:48 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 00:01:48 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-16 02:03:30 -------- d-----w C:\Program Files\3CX Phone
2007-04-16 02:03:30 -------- d-----w C:\Program Files\3CX
2007-04-16 01:52:18 -------- d-----w C:\Program Files\3CX PhoneSystem
2007-04-11 17:29:56 -------- d-----w C:\Program Files\iPod
2007-04-11 17:29:52 -------- d-----w C:\Program Files\iTunes
2007-03-27 07:55:32 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:32 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:32 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{54CBB12C-3481-4C5D-942D-4976C0F0A406}=C:\WINDOWS\system32\hgggddd.dll [2007-06-04 08:16]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{99051B6D-D1DE-DC52-D906-FEADDFE82790}=C:\WINDOWS\system32\vfzdi.dll [2007-05-21 09:59]
{A2339A9B-D1F4-4084-9EEE-B9F5CB487527}=C:\WINDOWS\system32\awtutuv.dll []
{B3A23890-DE66-4A13-BD54-ED5B62FDC04B}=C:\WINDOWS\system32\ssttq.dll []
{E2DD5CF6-ECC3-483F-AD53-58C4B1CCCB55}=C:\WINDOWS\system32\opnmn.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="C:\Program Files\Fichiers communs\microsoft shared\ink\tabtip.exe" [2004-08-04 14:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 16:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 16:44]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2003-05-12 14:28]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2003-07-25 14:04]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-07-25 14:58]
"LMgrOSD"="C:\Program Files\Launch Manager\OSD.exe" [2003-06-25 10:53]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2003-09-12 15:24]
"Wise Backlight"="C:\Program Files\Acer soft button\wsbklite.exe" [2004-01-16 14:53]
"Software Button"="C:\Program Files\Acer soft button\SB.exe" [2004-01-28 14:25]
"RemoteControl"="C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 11:52]
"AcerNotebookManager"="C:\Program Files\Acer\Notebook Manager\almxptray.exe" [2003-08-19 11:21]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2002-11-25 10:23]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-05 14:00 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2006-08-04 09:46]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2007-03-24 22:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"zuxoxiba.exe"="C:\Documents and Settings\All Users\Application Data\zuxoxiba.exe" [2007-06-02 23:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00]
"ChkMail"="èn?" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"WengoPhoneNG"="C:\Program Files\WengoPhone\qtwengophone.exe" [2006-12-11 05:43]
"Oeer"="C:\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe" []
"Esemkryh"="C:\Program Files\?ymantec\?poolsv.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"360SCProgram"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=%windir%\help\wizard.hta

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A2339A9B-D1F4-4084-9EEE-B9F5CB487527}"="C:\WINDOWS\system32\awtutuv.dll" []
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
"{54CBB12C-3481-4C5D-942D-4976C0F0A406}"="C:\WINDOWS\system32\hgggddd.dll" [2007-06-04 08:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggddd]
hgggddd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83a56050-6f8d-11db-997d-000e358e591a}]
AutoRun\command- F:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
2007-05-30 12:24:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 04 June 2007 - 11:49 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\txjfjosp.dll
C:\WINDOWS\system32\gbjlcmkf.exe
C:\WINDOWS\system32\hgggddd.dll
C:\WINDOWS\system32\xffteyac.exe
C:\WINDOWS\system32\vfzdi.dll
C:\WINDOWS\system32\drvbic.dll
C:\WINDOWS\system32\sysmon32.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\zuxoxiba.exe
C:\WINDOWS\system32\winsys64.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.

Posted Image
Posted Image

#7 rabuchon

rabuchon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 04 June 2007 - 03:46 PM

hi richie, the pc seems to be better
see below the reports


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ffmqfrkm

*******************

Script file located at: \??\C:\WINDOWS\system32\xvdubhgd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\txjfjosp.dll deleted successfully.
File C:\WINDOWS\system32\gbjlcmkf.exe deleted successfully.
File C:\WINDOWS\system32\hgggddd.dll deleted successfully.
File C:\WINDOWS\system32\xffteyac.exe deleted successfully.
File C:\WINDOWS\system32\vfzdi.dll deleted successfully.
File C:\WINDOWS\system32\drvbic.dll deleted successfully.
File C:\WINDOWS\system32\sysmon32.exe deleted successfully.
File C:\DOCUME~1\ALLUSE~1\APPLIC~1\zuxoxiba.exe deleted successfully.
File C:\WINDOWS\system32\winsys64.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1

Scan saved at 16:38, on 2007-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer soft button\wsbklite.exe
C:\Program Files\Acer soft button\SB.exe
C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WengoPhone\qtwengophone.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\3CX PhoneSystem\Bin\3CXMediaServer.exe
C:\Program Files\3CX PhoneSystem\Bin\3CXIVRServer.exe
C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe
C:\Program Files\3CX PhoneSystem\Bin\3CXVBMServer.exe
C:\Infoserv\Apache2\bin\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\3CX PhoneSystem\Bin\3CXPhoneSystem.exe
C:\Infoserv\Apache2\bin\Apache.exe
C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Sony Ericsson\Mobile\SyncIndicator.exe
D:\telechargés\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\hgggddd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {99051B6D-D1DE-DC52-D906-FEADDFE82790} - C:\WINDOWS\system32\vfzdi.dll (file missing)
O2 - BHO: (no name) - {A2339A9B-D1F4-4084-9EEE-B9F5CB487527} - C:\WINDOWS\system32\awtutuv.dll (file missing)
O2 - BHO: (no name) - {B3A23890-DE66-4A13-BD54-ED5B62FDC04B} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {E2DD5CF6-ECC3-483F-AD53-58C4B1CCCB55} - C:\WINDOWS\system32\opnmn.dll (file missing)
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Fichiers communs\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"
O4 - HKLM\..\Run: [Software Button] "C:\Program Files\Acer soft button\SB.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zuxoxiba.exe] C:\Documents and Settings\All Users\Application Data\zuxoxiba.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChkMail] èn?
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WengoPhoneNG] C:\Program Files\WengoPhone\qtwengophone.exe -b
O4 - HKCU\..\Run: [Oeer] "C:\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Esemkryh] "C:\Program Files\?ymantec\?poolsv.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://10.10.10.253/bl_camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hgggddd - hgggddd.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Fichiers communs\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: 3CX PhoneSystem - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXPhoneSystem.exe
O23 - Service: 3CX PhoneSystem Database Server - PostgreSQL Global Development Group - C:/Program Files/3CX PhoneSystem/Bin/Pgsql/bin/pg_ctl.exe
O23 - Service: 3CX PhoneSystem Media Server - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXMediaServer.exe
O23 - Service: 3CX PhoneSystem IVR (3CXIvr) - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXIVRServer.exe
O23 - Service: 3CX PhoneSystem Web Server (3CXPhoneSystemWebServer) - Unknown owner - C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: 3CX PhoneSystem VoiceBox Manager (3CXVBoxMgr) - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXVBMServer.exe
O23 - Service: Apache2 - Unknown owner - C:\Infoserv\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client32 - Unknown owner - C:\PCDUO\client32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 05 June 2007 - 05:54 AM

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\hgggddd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {99051B6D-D1DE-DC52-D906-FEADDFE82790} - C:\WINDOWS\system32\vfzdi.dll (file missing)
O2 - BHO: (no name) - {A2339A9B-D1F4-4084-9EEE-B9F5CB487527} - C:\WINDOWS\system32\awtutuv.dll (file missing)
O2 - BHO: (no name) - {B3A23890-DE66-4A13-BD54-ED5B62FDC04B} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {E2DD5CF6-ECC3-483F-AD53-58C4B1CCCB55} - C:\WINDOWS\system32\opnmn.dll (file missing)
O4 - HKLM\..\Run: [zuxoxiba.exe] C:\Documents and Settings\All Users\Application Data\zuxoxiba.exe
O4 - HKCU\..\Run: [ChkMail] èn?
O4 - HKCU\..\Run: [Oeer] "C:\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Esemkryh] "C:\Program Files\?ymantec\?poolsv.exe"
O20 - Winlogon Notify: hgggddd - hgggddd.dll (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#9 rabuchon

rabuchon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 05 June 2007 - 10:07 AM

ritchie, the system seems to be well


Logfile of HijackThis v1.99.1
Scan saved at 10:57, on 2007-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer soft button\wsbklite.exe
C:\Program Files\Acer soft button\SB.exe
C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WengoPhone\qtwengophone.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\3CX PhoneSystem\Bin\3CXMediaServer.exe
C:\Program Files\3CX PhoneSystem\Bin\3CXIVRServer.exe
C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe
C:\Program Files\3CX PhoneSystem\Bin\3CXVBMServer.exe
C:\Infoserv\Apache2\bin\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Infoserv\Apache2\bin\Apache.exe
C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\3CX PhoneSystem\Bin\3CXPhoneSystem.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Sony Ericsson\Mobile\SyncIndicator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\Program Files\3CX\3CX Phone\3CX Phone.exe
D:\telechargés\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Fichiers communs\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"
O4 - HKLM\..\Run: [Software Button] "C:\Program Files\Acer soft button\SB.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\SYSINFO\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WengoPhoneNG] C:\Program Files\WengoPhone\qtwengophone.exe -b
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://10.10.10.253/bl_camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{517A811D-0FEB-47DC-B7A5-9FAD6F4888D8}: NameServer = 213.188.172.1,213.16.20.3,193.252.19.3,193.252.19.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Fichiers communs\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: 3CX PhoneSystem - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXPhoneSystem.exe
O23 - Service: 3CX PhoneSystem Database Server - PostgreSQL Global Development Group - C:/Program Files/3CX PhoneSystem/Bin/Pgsql/bin/pg_ctl.exe
O23 - Service: 3CX PhoneSystem Media Server - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXMediaServer.exe
O23 - Service: 3CX PhoneSystem IVR (3CXIvr) - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXIVRServer.exe
O23 - Service: 3CX PhoneSystem Web Server (3CXPhoneSystemWebServer) - Unknown owner - C:\Program Files\3CX PhoneSystem\Bin\Apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: 3CX PhoneSystem VoiceBox Manager (3CXVBoxMgr) - 3CX Software Ltd. - C:\Program Files\3CX PhoneSystem\Bin\3CXVBMServer.exe
O23 - Service: Apache2 - Unknown owner - C:\Infoserv\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client32 - Unknown owner - C:\PCDUO\client32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------


+ Créé à: 09:21 2007-06-05

+ Résultat de l'analyse:



C:\QooBox\Quarantine\C\Program Files\YMANTE~1\ѕpoolsv.exe -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036370.dll -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP288\A0036585.dll -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\avenger\backup.zip/avenger/vfzdi.dll -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\Ultimate Fixer -> Adware.RogueSuspect : Nettoyé et sauvegardé (mise en quarantaine).
HKU\S-1-5-21-960723001-1635341918-3780304778-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -> Adware.RogueSuspect : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036326.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\VundoFix Backups\awtutuv.dll.bad -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\QooBox\Quarantine\C\WINDOWS\retadpu1000272.exe.vir -> Downloader.Agent.bls : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP288\A0036547.exe -> Downloader.Agent.bls : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\2DNN6Z8T\xzc37[1].exe -> Downloader.Agent.brf : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\QYI2ODS4\xc23[1].exe -> Downloader.Alphabet : Nettoyé et sauvegardé (mise en quarantaine).
C:\QooBox\Quarantine\C\WINDOWS\smgr.exe.vir -> Downloader.Alphabet : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036128.exe -> Downloader.Alphabet : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036132.exe -> Downloader.Alphabet : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036253.EXE -> Downloader.Alphabet : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036457.exe -> Downloader.Alphabet : Nettoyé et sauvegardé (mise en quarantaine).
C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir -> Downloader.Alphabet.b : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036456.exe -> Downloader.Alphabet.b : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temp\agent16.exe -> Downloader.Alphabet.c : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temp\looksys.exe -> Downloader.Alphabet.c : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036387.exe -> Downloader.Alphabet.c : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036444.exe -> Downloader.Alphabet.c : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP288\A0036587.exe -> Downloader.Alphabet.c : Nettoyé et sauvegardé (mise en quarantaine).
C:\avenger\backup.zip/avenger/sysmon32.exe -> Downloader.Alphabet.c : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\M9AH21MB\!update-4395[1].0000 -> Downloader.PurityScan.ee : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\QB6RF8SM\xc42[1].exe -> Downloader.PurityScan.eg : Nettoyé et sauvegardé (mise en quarantaine).
C:\QooBox\Quarantine\C\Program Files\Fichiers communs\Yazzle1162OinAdmin.exe.vir -> Downloader.PurityScan.eg : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036449.exe -> Downloader.PurityScan.eg : Nettoyé et sauvegardé (mise en quarantaine).
C:\QooBox\Quarantine\C\DOCUME~1\rv\APPLIC~1\CROSOF~1\msiexec.exe -> Downloader.PurityScan.ej : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036105.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Cookies\rv@adbrite[2].txt -> TrackingCookie.Adbrite : Nettoyé.
C:\Documents and Settings\rv\Cookies\rv@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Nettoyé.
C:\Documents and Settings\rv\Cookies\rv@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Nettoyé.
C:\Documents and Settings\rv\Cookies\rv@findwhat[1].txt -> TrackingCookie.Findwhat : Nettoyé.
:mozilla.11:C:\Documents and Settings\rv\Application Data\Mozilla\Firefox\Profiles\z3uzhu39.default\cookies.txt -> TrackingCookie.Paypal : Nettoyé.
C:\Documents and Settings\rv\Cookies\rv@www.paypal[1].txt -> TrackingCookie.Paypal : Nettoyé.
C:\Documents and Settings\rv\Cookies\rv@realmedia[1].txt -> TrackingCookie.Realmedia : Nettoyé.
:mozilla.21:C:\Documents and Settings\rv\Application Data\Mozilla\Firefox\Profiles\z3uzhu39.default\cookies.txt -> TrackingCookie.Tribalfusion : Nettoyé.
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP288\A0036582.exe -> Trojan.Agent.anr : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP288\A0036584.exe -> Trojan.Agent.anr : Nettoyé et sauvegardé (mise en quarantaine).
C:\WINDOWS\system32\yibembbr.exe -> Trojan.Agent.anr : Nettoyé et sauvegardé (mise en quarantaine).
C:\avenger\backup.zip/avenger/gbjlcmkf.exe -> Trojan.Agent.anr : Nettoyé et sauvegardé (mise en quarantaine).
C:\avenger\backup.zip/avenger/xffteyac.exe -> Trojan.Agent.anr : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\M9AH21MB\xc29[1].exe -> Trojan.Agent.qt : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP288\A0036586.dll -> Trojan.Agent.qt : Nettoyé et sauvegardé (mise en quarantaine).
C:\avenger\backup.zip/avenger/drvbic.dll -> Trojan.Agent.qt : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\M9AH21MB\xc60[1].exe -> Trojan.Dialer.qn : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\rv\Local Settings\Temporary Internet Files\Content.IE5\QB6RF8SM\antzom[1].exe -> Trojan.Dialer.qn : Nettoyé et sauvegardé (mise en quarantaine).
C:\QooBox\Quarantine\C\WINDOWS\system32\wnscpicomsv32.exe.vir -> Trojan.Small : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{2590CCFE-9B70-47B0-8FA0-6993C06E5B22}\RP287\A0036454.exe -> Trojan.Small : Nettoyé et sauvegardé (mise en quarantaine).


Fin du rapport

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 05 June 2007 - 10:33 AM

Find and delete:

VundoFix.exe
Combofix
Avenger

C:\Avenger
C:\QooBox
C:\VundoFix Backups

Also delete this folder if present:
C:\Program Files\Ultimate Fixer

************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

************************

Your log is clean rabuchon :thumbsup:
If all's ok,please do the following:

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#11 rabuchon

rabuchon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 05 June 2007 - 02:05 PM

hello ritchie
thank you very much for you help
every thing seems to be ok!!!
i would like to make a donation, but not with paypal
is there is an other way
best regards
hervé

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 05 June 2007 - 02:52 PM

You're welcome hervé :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users