Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still Infected Or Something Else Wrong?


  • Please log in to reply
35 replies to this topic

#1 Genla

Genla

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 July 2007 - 06:02 PM

I explored this site I found when searching for help.

I read the advices I found on various pages.

I ran Spybot, ad-aware, super anti spyware, bitdefender, McAfee Stinger, multivirus cleaner + CCleaner. They found and killed the malware (bmgenkji) that had me search for help in the first place, plus several other ones that I was absolutely not aware of.

The PC works better now (starts right away, more stable, doesn't freeze).

Remain 2 problems :

- I cannot save under Word. As soon as I hit the save button, I get an error message that says word had a problem in "unknown" and it is going to shut down. I noticed that if I save directly on my flashdrive, it works. But if Word does its automatic saving, it still shuts down.

- I have trouble installing my new antivirus (antivirus firewall). Sometimes the installation procedure freezes. Sometimes it is successful, but then, there is no connection to the internet available.

My operating system is Windows Me.

Can somebody tell me what is wrong? Is there some other infection or is this something else?

Below is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:28:48, on 12/07/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\WANADOO\SEARCH~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenÍtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: Š{A_∆{A_
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [MezAnivs] C:\MES DOCUMENTS\MEZANIV.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [clcl11] C:\WINDOWS\SYSTEM\clcl11.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe" (User 'Default user')
O4 - .DEFAULT Startup: EPSON Status Monitor 3.2 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE (User 'Default user')
O4 - Startup: EPSON Status Monitor 3.2 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Kangaroo - {06A18DC1-FE86-11d3-B9AF-0000B4C32B4D} - http://knowledge-assistant.com/webka/toolbar/tbie.asp (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: Interface Chat Wanadoo - http://chat10.x-echo.com/version3/Applet/wchatsign.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...066/mcfscan.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

--
End of file - 6448 bytes

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 18 July 2007 - 10:01 PM

Hello Genla,

Sorry for the delay in responding, this forum is very busy right now.

- I have trouble installing my new antivirus (antivirus firewall). Sometimes the installation procedure freezes. Sometimes it is successful, but then, there is no connection to the internet available.


What is the firewall you are trying to install? Is this a security suite that includes an antivirus program as well as a firewall? You need both.

If you cannot install the antivirus or firewall you want, please consider trying to install AVGFree. It works under Windows ME. It is available for download here:

http://www.download.com/3000-2239_4-10703202.html

For a firewall, consider the Sygate firewall, available here:

http://www.simtel.net/product.php?id=53687

This is an older version but it is free and it works with Windows ME.

Please install an antivirus and firewall immediately. Until you do this, your computer is wide open to more infections.

You still have some malware on your computer. What follows are steps for removing it.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenÍtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: Š{A_∆{A_
O4 - HKLM\..\Run: [clcl11] C:\WINDOWS\SYSTEM\clcl11.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

4. Double Click My Computer to open Windows Explorer, then please navigate to and delete this file (if present):

C:\WINDOWS\SYSTEM\clcl11.exe

When you are finished, please reboot the computer normally.

Please run a new HijackThis scan and post the log to a reply here. Also tell me whether you were able to install the antivirus and firewall programs (either the ones I recommended or the ones you were trying to install before).


Dave

#3 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 20 July 2007 - 11:41 AM

Thank you very, very much for your answer.

I am going to try to do what you said, which sounds big for me as I am not a geek, but I will, and I'll get back to you once I am done.

Yveline

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 20 July 2007 - 06:05 PM

Hi again Genla,

Take your time and don't worry, this is not that hard to do. If you encounter any problems or have any questions about my instructions, just ask.

Dave

#5 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 July 2007 - 04:05 PM

I did my "homework" following step by step your instructions (thanks).

Before I received your answer I had run Bitdefender again. It spotted the file you mentioned (windows\system\clcl11.exe), said it was infected with Trojan. Adclicker.ff and it couldn't fix nor delete it.
Bitdefender also spotted another file program files\ICQ\ICQ99B.exe wise 0023, infected with backdoor. Ip.Protect.A ; said it couldn't fix nor delete it.

I managed to install AVGFree and the sygate Firewall

AVGFree spotted the clcl11 file.
It didn't spot the second file Bitdefender had highlighted.
But it spotted 5 other files, infected with Trojan Horse Backdoor.Generic7.olg and trojan Horse Clicker.GOH

Sygate "talks" to me asking me whether I allow this or that (after booting), and, since I am far from being a technician, I am not sure what's right or wrong.

So these 2 protections are now running. Though, if possible, if the computer accepts it, I still would like to install the antivirus I was trying to install before.

This one is called antivirus firewall PC and is provided for an extra fee by my internet service provider France Telecom. Before, they were supplying me with antivirus mail, scanning the messages before they would reach my mailbox. This antivirus firewall is supposed to do that + what AVG and Sygate are doing.

Being supplied by France Telecom, I hope it'll "speak" French. We used to have the French version of Norton, but once you're in trouble for something, you're very soon redirected to pages in English, which causes a great amount of stress to other family members when I am not around.

So, if possible I'd like to install that Antivirus from France Telecom. If not possible, well... we'll survive.

I did a system scan only on High Jack this as you said.
Only 2 of the files you mentioned were there. The clcl11.exe was not.
(I had run AVGFree before ; maybe this explains that).
I checked and clicked "fix" for these 2 files.

Then I managed to reboot in safe mode, but once there, my mouse would not answer properly ; it would only move from top to bottom, not from left to right.
So, I was unable to navigate inside windows explorer.

After this, I ran high Jack this again and below is the log file.
I hope it makes sense for you.

Yveline

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:19:39, on 21/07/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NERO\DATA\XTRAS\MSSYSMGR.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\WANADOO\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [MezAnivs] C:\MES DOCUMENTS\MEZANIV.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\RunServices: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\RunServices: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O4 - .DEFAULT Startup: EPSON Status Monitor 3.2 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE (User 'Default user')
O4 - Startup: EPSON Status Monitor 3.2 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Kangaroo - {06A18DC1-FE86-11d3-B9AF-0000B4C32B4D} - http://knowledge-assistant.com/webka/toolbar/tbie.asp (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: Interface Chat Wanadoo - http://chat10.x-echo.com/version3/Applet/wchatsign.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...066/mcfscan.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 7864 bytes

#6 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 July 2007 - 04:11 PM

Well... I had tried to post that message several times today, and it wouldn't go through... until I had access to another computer. On that one computer my posting went through with no problem.
Weird! When I installed my antivirus, I had no access to the internet any longer.
Now that I installed AVGFree + Sygate I can access the internet, but this posting wouldn't go through.

Thanks for helping

Yveline

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 23 July 2007 - 02:15 PM

Hi again,

I have been doing a little research here at work today. It appears that your Bitdefender finding

program files\ICQ\ICQ99B.exe wise 0023, infected with backdoor. Ip.Protect.A


is a false positive. In other words, the file ICQ99B.exe is not a virus, but Bitdefender misidentified it as one. Please read posts # 8 through 19 in this topic on the Bitdefender forum.

Sorry I do not have time to write more now, I will post again tonight when I get home. However I wanted to give you this information right away because this sort of finding can be very alarming.

Dave

#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 23 July 2007 - 09:05 PM

Hi again,

Your new log looks clean.

I am as I told you quite sure that the Bitdefender scan result is a false positive.

I am not as sure about your Trojan Horse Backdoor.Generic7.olg and trojan Horse Clicker.GOH. I need to know the names of the files and where they were located.

Start your AVG program by double clicking on the icon on your desktop. On the top menu bar, click Program, then click Launch AVG Test Center. Then, on the Menu Bar, Click Results. You will be presented with a list of all the scans AVG has done on your system. If there is more than one test listed, I want you to select the first one, since I believe that is where it first found the malware. On the right hand side of the window, under Test Results, click the Virus Results tab. Then move up to the menu bar and click Program, then click Export list to file.

A Save As window will open. Click the arrow next to the Save in: box, navigate to your desktop, and select it. Then, at the bottom of the window, Click the arrow next to the File type: box and select Formatted text, space delimited. Then just above that, in the File name box, type in AVGTest.txt. Then click Save. Then close AVG.

Double click the AVGTest.txt file icon on your desktop. It will open in Notepad. Copy and paste the entire text of the AVG test file to your next reply here.

I have read your comments about the Antivirus and firewall from France Telecom. I completely agree that it would be much better for you to have security programs that "speak French." If you can get those programs installed and running, you should use them, and remove the AVG and Sygate programs I asked you to install.

The only reason I told you to get these programs is that you were surfing the internet with no protection at all, and frankly, that is somewhat suicidal these days. You needed something to protect you until you can get the France Telecom security programs working.

Unfortunately, with that task I cannot help you. I can read French well enough to understand it (usually) but I cannot speak or write your magnificent language well enough to make myself understood in any but the simplest contexts. I certainly could not carry on an e-mail exchange with a technical support person at France Telecom about your problems with their software. However I think that you can and should do this. The security software is part of the service they are providing, and you are paying for, and I am sure they offer support for customers who have difficulty in getting it to work.

I can refer you to a very good English Language tutorial about firewalls. I think it will help you to understand what Sygate is doing. Here it is:

Understanding and Using Firewalls

For instructions on how to set up your Sygate firewall, you should look at the Help files that are included with the program. As to your specific problem with posting, I did some checking online and it appears that you may need to unblock types 3 and 4 ICMP traffic. I'm sorry I can't give you instructions on how to do this, I don't use Sygate myself, but the program help files should tell you how to do this. I will also ask for help from my fellow workers here, maybe one of them knows how to do this.

Regarding safe mode, don't worry about that right now. It appears that your bad file was deleted or quarantined by AVG, so we may not need to use it. And there are alternatives with Windows ME. Does your computer have a floppy disk drive? Do you have the Windows ME boot disk?

Please post that AVG test report.

Dave

#9 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 24 July 2007 - 05:18 PM

I saw your shorter message yesterday and tried to answer but my posting wouldn't go through and I couldn't access that other computer yesterday. I'll print your longer posting, and will try to do what you said.

The "false positive" from Bitdefender sounds like good news and trying to understand better what a firewall does will sure be helpful. And hopefully I'll find how to unblock what you said on Sygate. It would most likely help me navigate on my yahoo groups which I noticed I have been unable to do since I installed these softwares.

I did call France Telecom support when I had trouble installing their antivirus firewall. What the guys told me to do wouldn't work and the second one's conclusion was that I needed to take the computer to the repair store. Well... this is an old computer now, and what they would charge me would most likely cost roughly 75% of a new computer. Not worth it.

Before I called them, I had killed a few "whatever-they-are-called" (so many names, so little understanding of this!), and since they didn't get into this, I wondered whether some remaining infection was causing the problems I have (the trouble with their antivirus being only one of them) or that was something else. This is when I posted here.

You say my last log looks clean (I remember I still have to post the AVG test result). So maybe this is something else. I am pretty sure that somebody who is into computers would know what to do about it but... I sure don't. See, I can speak English as a second language, but this is not within my skills.

So, if this is not an infection, I guess I'll do with a kranky computer as long as I can do the basics with it (or go so upset about the trouble that I end up buying a new computer!). I saved my files, pictures etc. before I started doing things I am not used to do, (like spybot, bitdefender etc.)

I'll get back to you when I have completed what you said.

Thank you for your time.

Yveline

#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 25 July 2007 - 06:38 AM

Hi again Yveline,

I got a couple of responses to my call for help.

Here is an online tutorial for the Sygate firewall:

http://bellsouthpwp.net/i/k/ikpe/SygateBasics.html

As I told you, I do not use Sygate myself, I recommended it to you because it will work with your operating system.

However, your description of your problems sounds like a firewall configuration issue. Please read through the tutorial and try to set the firewall to "normal" or "default" permissions.

Here are the two comments I got from Sygate users about access to Bleeping Computer:

I use Sygate PF. Don't have it configured in a different way.


In other words, he just has it set up with the default settings, and has no trouble posting replies here.

The other comment was:

As I remember, all she has to do is to go to application configurations and "always" allow whatever browser she is using access.


It is possible that in answering the questions Sygate was asking you, you may have changed its configuration. You should check into this, and the tutorial should help.

EDIT: One quick way to test and determine whether your firewall is causing your problems with posting replies would be to disable the firewall completely, just for a few minutes, and see whether you can then post a reply. Just try to post a reply to this topic with the single word "Test" in the message box. Every firewall I have used has an option to disable it completely. You will have to check the tutorial to see how to do this. After the test re-enable the firewall. Let me know whether you are able to post with the firewall disabled.

I am sorry to hear that France Telecom was not very helpful with their software. The old "take the machine to a repair shop" is a common way of avoiding more questions, and plenty of American companies do the same thing. I agree that with a computer as old as yours, it would not be cost effective to take it to a shop for repair, unless you had a system crash and there was data on the computer that needs to be recovered.

It does appear that you are pretty much stuck with English language software if you want a free antivirus and firewall. Support for other languages is one of the "extras" that you get when you pay for the Premium version. I know this is true of AVG.

Speaking of AVG, when I said your log looks clean I meant that HijackThis is not showing signs of active malware. This does not mean that there are no more bad files on your computer. I still need to see the AVG report, and depending on what it shows, we may need other scans.

Dave

Edited by DaveM59, 25 July 2007 - 06:47 AM.


#11 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 26 July 2007 - 06:38 PM

I did what you said regarding the AVG test result.

I paste below 2 of them : the first one (Jul 21) and the last one (Jul 25). The results of the tests run on the 23 and 24 had brought the same 4 infections. AVG and Sygate have been active the whole time.

I read bleeping computer's tutorial about firewalls. Although it is written in plain English, I must say I need to read it again before it reaches the right brain cells. I got lost at the point when the tutorial mentions about blocking outgoing traffic and showing that some unwelcome software is installed. Some of this rings a bell and makes me think of some of the messages Sygate popped out. I am not sure. I have not got into the Sygate tutorial yet.

Yveline

test result Jul 21

General properties
Report name Complete Test
Start time 21/07/2007 02:30:42
End time 21/07/2007 02:58:21 (total: 27:38.6 Min)
Launch method Scanning launched manually
Scanning result Threats found
Report status Scanning completed successfully

Object summary
Scanned 34633
Threats Found 7
Cleaned 0
Moved to vault 0
Deleted 3
Errors 0
C:\WINDOWS\SYSTEM\clcl11.exe Trojan horse Clicker.GOH Infected
C:\WINDOWS\SYSTEM\clcl11.exe Trojan horse Clicker.GOH Infected
C:\_RESTORE\TEMP\A0002616.CPY Trojan horse BackDoor.Generic7.OLG Infected
C:\_RESTORE\TEMP\A0002618.CPY Trojan horse BackDoor.Generic7.OLG Infected
C:\sysexqr.exe Deleted
C:\syshnpq.exe Deleted
C:\sysawte.exe Deleted


Test result Jul 27

General properties
Report name Complete Test
Start time 25/07/2007 23:04:13
End time 25/07/2007 23:39:23 (total: 35:09.2 Min)
Launch method Scanning launched by scheduler
Scanning result Threats found
Report status Scanning completed successfully

Object summary
Scanned 36305
Threats Found 4
Cleaned 0
Moved to vault 0
Deleted 0
Errors 0
C:\WINDOWS\hosts Change Changed
C:\_RESTORE\TEMP\A0002616.CPY Trojan horse BackDoor.Generic7.OLG Infected
C:\_RESTORE\TEMP\A0002618.CPY Trojan horse BackDoor.Generic7.OLG Infected
C:\_RESTORE\TEMP\A0002623.CPY Trojan horse BackDoor.Generic7.OLG Infected
C:\_RESTORE\TEMP\A0002628.CPY Trojan horse Clicker.GOH Infected

#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 26 July 2007 - 08:09 PM

Hi again Yveline,

Things are looking pretty good. Your latest AVG scan shows that the only malware it detected is in your System Restore folder. Files located there cannot do any harm unless you perform a system restore. Once we are sure you are clean we will clear out your restore files and set a new, clean restore point.

It sounds like you are beginning to "get" that article on firewalls. Keep going, you will master it yet!

Have you been able to try the test I suggested (disabling the firewall just long enough to post a reply to this topic)? That would tell us for certain whether your problem is due to the settings of your firewall.

I would like to see the results of another scan, just as a double check to make sure AVG has not missed anything. Please run a fresh Panda online scan. Since you have done this before I will not give detailed instructions on running the scan. Here is how you save the report after the scan is completed:

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to your desktop. Post the contents of the ActiveScan report to your next reply. Also run a new HijackThis scan and post that log as well.

Dave

#13 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 29 July 2007 - 04:53 PM

Mmm... ... I have not done my "homework" over the weekend. Busy visiting relatives, and then working around the house.
I am digging into it right now.
I think I am falling behind, am not I?

Yveline

#14 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:03:03 PM

Posted 29 July 2007 - 05:14 PM

Hi again,

No worries, I have been very busy with family business and other things myself. Just run those scans and post the logs when you have time.

Dave

#15 Genla

Genla
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 29 July 2007 - 06:35 PM

Wow! You answered yet? I cannot believe this!

I just did part of my homework.
I read again bleeping computer's tutorial about firewall and the sygate basics page you directed me to.
Focused with a capital F (!!).

I come out of it with mixed feelings.
A. Some of it did get into my brain cells ; some still floats in unknown territory ; some more talks about things which are alien to me.
B. Reading these pages, it feels like I should do more monitoring of this, that, and who knows what.
C. Pretty soon, this is going to take more time than what I spend on the computer.
D. I "just" want to do e-mail and navigate here and there for heaven's sake;
E. Part of me says : hey? Isn't that chore what I pay for when I subscribe to an antivirus?
F. I just want to do e-mail and navigate here and there for heaven's sake.

(I guess that one firewall is free, but I am still registered to that other one, and trying to get myself into what a firewall does ; and I understand it is not that simple as everybody's needs are not the same.)

I guess I just needed to vent some steam off. Sorry.

Sitting back, I think I am overwhelmed because I don't know what is right to allow the machine work normally and what is a weakness.

I am still using that other computer to post. Next step will be trying to work on the set up of Sygate and see if it makes it possible to post.

Yveline




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users