Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"Click to find and fix errors" icon on desktop and popups [C

Started by annegab , Apr 17 2007 05:11 PM

This topic is locked

#16
annegab

Posted 29 April 2007 - 06:53 PM

Member

Topic Starter
Member
14 posts

Dear sarahw,

I have to say I feel quite desperate. I still have a lot of popups, outerinfo came back as well as webhancer and it seems I am not over with vundos. My computer is slow and I still have those icons on my desktop.

Fresh HJT:

Logfile of HijackThis v1.99.1
Scan saved at 20:48:46, on 2007-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\{B426C918-0577-1036-0320-021221200002}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\zstatus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34B3A234-61F0-6A54-A54F-1CE34890AA9F} - C:\WINDOWS\system32\rczxbl.dll (file missing)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Heth] "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://74747415.spac...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000627 (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

+ Créé à: 20:36:13 2007-04-29

+ Résultat de l'analyse:

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036236.dll -> Adware.Lucky : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\Outerinfo\OiUninstaller.exe -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037576.exe -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\WINDOWS\SYSTEM32\rczxbl.dll -> Adware.PurityScan : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temp\b116.exe -> Adware.Softomate : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\AR03EUWJ\116[1].net -> Adware.Softomate : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036237.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036238.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036239.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036240.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036241.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036242.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036243.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036244.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036245.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036246.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036247.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036248.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036249.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036250.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036251.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036252.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036253.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036254.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036255.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036256.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036257.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036258.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036259.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036260.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037400.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037401.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037404.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037405.dll -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\VundoFix Backups\mljkhii.dll.bad -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\VundoFix Backups\rqrpqpp.dll.bad -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\VundoFix Backups\rqrsqnn.dll.bad -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\VundoFix Backups\xxyaxut.dll.bad -> Adware.Virtumonde : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temp\b129.exe -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\1C7T52RY\129[1].net -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\webHancer -> Adware.Webhancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\webHancer\Programs -> Adware.Webhancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\webHancer\Programs\license.txt -> Adware.Webhancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\webHancer\Programs\readme.txt -> Adware.Webhancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\webHancer\Programs\whAgent.ini -> Adware.Webhancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\webHancer\Programs\whinstaller.exe -> Adware.Webhancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037546.exe -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037547.dll -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037548.dll -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037573.dll -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037574.exe -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037578.dll -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\snapshot\MFEX-1.DAT -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\snapshot\MFEX-2.DAT -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\snapshot\MFEX-3.DAT -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj\CurVer -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
HKLM\SOFTWARE\webhancer\ESO -> Adware.WebHancer : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\BALUVEOK\setar-101[1].0000 -> Adware.Yazzle : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037575.exe -> Downloader.Age : Nettoyé et sauvegardé (mise en quarantaine).
C:\Program Files\Fichiers communs\Yazzle1122OinAdmin.exe -> Downloader.PurityScan.eh : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temp\b104.exe -> Downloader.Small.buy : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\AR03EUWJ\104[1].net -> Downloader.Small.buy : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\Propriétaire\Cookies\proprié[email protected][1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\Propriétaire\Cookies\proprié[email protected][1].txt -> TrackingCookie.Hitbox : Nettoyé.
C:\Documents and Settings\Propriétaire\Cookies\proprié[email protected][1].txt -> TrackingCookie.Netflame : Nettoyé.
C:\Documents and Settings\Propriétaire\Cookies\proprié[email protected][1].txt -> TrackingCookie.Paypal : Nettoyé.
C:\Program Files\Ipwindows\UnInstall.exe -> Trojan.Rond : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP613\A0037541.exe -> Trojan.Rond : Nettoyé et sauvegardé (mise en quarantaine).
C:\WINDOWS\SYSTEM32\wnscpsv.exe -> Trojan.Small : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036231.exe -> Worm.Agent.a : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036232.exe -> Worm.Agent.a : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036233.exe -> Worm.Agent.a : Nettoyé et sauvegardé (mise en quarantaine).
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036234.exe -> Worm.Agent.a : Nettoyé et sauvegardé (mise en quarantaine).

Fin du rapport

Kaspersky:

Sunday, April 29, 2007 12:44:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/04/2007
Kaspersky Anti-Virus database records: 307224

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 82388
Number of viruses found 17
Number of infected objects 97 / 0
Number of suspicious objects 0
Duration of the scan process 01:56:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Zero Knowledge\Freedom\logs\ServiceModel04-29-2007--10-14-51.log Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Propriétaire\Application Data\Zero Knowledge\Freedom\logs\SafetyConsoleLog04-29-2007--10-14-52.log Object is locked skipped

C:\Documents and Settings\Propriétaire\Bureau\net.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\Documents and Settings\Propriétaire\Bureau\net.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Propriétaire\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Propriétaire\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Propriétaire\Local Settings\Historique\History.IE5\MSHist012007042920070430\index.dat Object is locked skipped

C:\Documents and Settings\Propriétaire\Local Settings\Temp\b122.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Documents and Settings\Propriétaire\Local Settings\Temp\b122.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\Documents and Settings\Propriétaire\Local Settings\Temp\b122.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Propriétaire\net.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\Documents and Settings\Propriétaire\net.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Propriétaire\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Propriétaire\ntuser.dat.LOG Object is locked skipped

C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped

C:\net.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\net.exe NSIS: infected - 1 skipped

C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\Program Files\Outerinfo\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 2 skipped

C:\Program Files\webHancer\Programs\SET61E.tmp Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Program Files\webHancer\Programs\whagent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Program Files\webHancer\Programs\whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Program Files\webHancer\Programs\whinstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP606\A0035093.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP606\A0035093.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP607\A0035180.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP607\A0035180.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0035195.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0035195.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0035197.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0035197.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036146.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036146.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036148.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036148.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036166.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036166.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036185.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036185.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036231.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036232.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036233.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036234.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036236.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036237.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036238.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036239.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036240.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036241.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036243.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036244.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036245.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036247.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036248.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036249.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036253.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036254.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036255.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036256.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036257.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036258.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036259.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP608\A0036260.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037391.dll Infected: Trojan-Spy.Win32.VBStat.h skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037392.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037395.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037397.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037398.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037400.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037401.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037402.dll Infected: Trojan-Spy.Win32.VBStat.h skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037404.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP611\A0037405.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP613\A0037506.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP613\A0037507.dll Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP613\change.log Object is locked skipped

C:\VundoFix Backups\bevyedbs.dll.bad Infected: Trojan-Spy.Win32.VBStat.h skipped

C:\VundoFix Backups\goyffimp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\VundoFix Backups\kddimkuy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\VundoFix Backups\layayyoe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\VundoFix Backups\mljkhii.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\VundoFix Backups\ncskkojp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\VundoFix Backups\phlbddnu.dll.bad Infected: Trojan.Win32.BHO.g skipped

C:\VundoFix Backups\qblulewd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\VundoFix Backups\qnmhqjfl.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\VundoFix Backups\rqrpqpp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\VundoFix Backups\rqrsqnn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\VundoFix Backups\tycuhcvf.dll.bad Infected: Trojan-Spy.Win32.VBStat.h skipped

C:\VundoFix Backups\upqrtonq.dll.bad Infected: Packed.Win32.Klone.j skipped

C:\VundoFix Backups\xxyaxut.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SYSTEM32\bfypkixi.dll Infected: Packed.Win32.Klone.j skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SYSTEM32\mjuyqekv.dll Infected: Packed.Win32.Klone.j skipped

C:\WINDOWS\SYSTEM32\net.exe/data0003 Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\WINDOWS\SYSTEM32\net.exe NSIS: infected - 1 skipped

C:\WINDOWS\SYSTEM32\rczxbl.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wnyqrjcd.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\WINDOWS\SYSTEM32\Ѕymantec\nоpdb.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#17
sarahw

Posted 30 April 2007 - 06:52 AM

Malware Staff

Member
2,781 posts

Hi
Are you using an antivirus and firewall? Could you please tell me what security products you are currently using.
The log looks like its just about clean, there might be a few things hiding.

1.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {34B3A234-61F0-6A54-A54F-1CE34890AA9F} - C:\WINDOWS\system32\rczxbl.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [Heth] "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000627 (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

4. Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

Webhancer

Please note any other programs that you dont recognize in that list in your next response

5. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\webHancer

6. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe

When you are finished, please reboot the computer normally, and post a new HijackThis log here in a reply. Also, please let me know of any problems you may have encountered.

2.
Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

3.
Next can you please rescan with AVG Anti Spyware using the instructions in my last post. (Steps 4 and 5). Post that log when finished :whistling:

#18
annegab

Posted 30 April 2007 - 10:20 AM

Member

Topic Starter
Member
14 posts

Hi!

I have Freedom antivirus 5.1.3.36337 by Zero Knowledge (is supposed to offer anti-spyware and firewall protection as well) but I think it has expired, but it might be still running. I don't think it has been updated in a long a time and it slows down my computer at booting. My computer is still running slow.

In de Add/remove porgram section, I did not find Web hancer, bu I saw Bar888, Ipwins, KBD, and Python 1.5 combined Win32. I did not find webhancer in program files nor did I find deexplorer.exe.

While I was on the Internet trying to connect to Geeks to go I got about 44 pop ups. I also regularly get prompts form AVG about Virtumonde (which I think is Vundo right?)

Also I still have those icons, and I found net.exe in C:\Documents and Settings/Propriétaire/net.exe. Should I remove it?

The are the logs:

Fresh HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:16:35, on 2007-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {77E026F8-853F-4097-BDE3-7A0646C4F9BE} - C:\WINDOWS\system32\awtqp.dll
O2 - BHO: (no name) - {80440127-2315-4464-88B9-7ACB72F43ADB} - C:\WINDOWS\system32\wvuvstr.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Heth] "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://74747415.spac...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Combofix:

"Propri‚taire" - 07-04-30 9:51:07 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Propri‚taire\Bureau\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bfypkixi.dll
C:\WINDOWS\system32\mjuyqekv.dll
C:\WINDOWS\system32\yaywtur.dll
C:\WINDOWS\system32\wnyqrjcd.dll
C:\WINDOWS\system32\wvuvstr.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\Fichiers communs\{3426C~1\Bar888.dll.lzma
C:\Program Files\Fichiers communs\{B426C~1\Update.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\Fichiers communs\{3426C~1
C:\Program Files\Fichiers communs\{B426C~1
C:\WINDOWS\system32\drivers\core.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\PROPRI~1
C:\qoobox\purity\C\DOCUME~1\PROPRI~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1
C:\qoobox\purity\C\DOCUME~1\PROPRI~1\APPLIC~1\YSTEM~1
C:\qoobox\purity\C\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\?ecurity
C:\qoobox\purity\C\WINDOWS\SYSTEM32\YMANTE~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Client IP-IPX
-------\core
-------\LEGACY_CORE

((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))

2007-04-30 09:44 284,244 ---hs---- C:\WINDOWS\SYSTEM32\awtqp.dll
2007-04-29 10:20 <REP> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-04-29 10:11 99,328 --a------ C:\VundoFix.exe
2007-04-24 20:15 <REP> d-------- C:\Program Files\iTunes
2007-04-23 21:38 <REP> d-------- C:\VundoFix Backups
2007-04-23 20:00 <REP> d-------- C:\Program Files\Apple Software Update
2007-04-21 21:32 <REP> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-21 13:46 <REP> d-------- C:\Program Files\backups
2007-04-21 12:49 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-04-21 10:34 218,112 --a------ C:\Program Files\HijackThis.exe
2007-04-17 17:03 141,777 --a------ C:\net.exe
2007-04-16 21:49 141,779 --a------ C:\DOCUME~1\PROPRI~1\net.exe
2007-04-16 20:27 <REP> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-30 09:26 262 --a------ C:\WINDOWS\freedom.backup.dat
2007-04-29 20:48 8024 --a------ C:\Program Files\hijackthis.log
2007-04-24 22:50 -------- d-------- C:\Program Files\incomplete
2007-04-24 21:04 -------- d-------- C:\Program Files\limewire
2007-04-24 20:15 -------- d-------- C:\Program Files\ipod
2007-04-23 20:11 -------- d-------- C:\Program Files\quicktime
2007-04-21 13:50 -------- d-------- C:\Program Files\msn messenger
2007-04-19 17:18 141779 --a------ C:\WINDOWS\SYSTEM32\net.exe
2007-03-17 09:44 293376 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-14 18:36 49486 --a------ C:\WINDOWS\SYSTEM32\perfc00c.dat
2007-03-14 18:36 369208 --a------ C:\WINDOWS\SYSTEM32\perfh00c.dat
2007-03-08 11:37 578560 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:37 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:37 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 11:33 1843712 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-03-02 13:52 -------- d-------- C:\Program Files\windows media connect 2
2007-02-05 16:19 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{39299F8B-C722-41DF-8D28-B6116024F1CE} C:\WINDOWS\system32\awtqp.dll
{3C060EA2-E6A9-4E49-A530-D4657B8C449A} C:\Program Files\Zero Knowledge\Freedom\pkR.dll
{56071E0D-C61B-11D3-B41C-00E02927A304} C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{80440127-2315-4464-88B9-7ACB72F43ADB} C:\WINDOWS\system32\wvuvstr.dll [x]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"s3apphk"="s3apphk.exe"
"Freedom"="C:\\Program Files\\Zero Knowledge\\Freedom\\Freedom.exe"
"hp 1000 firmware"="C:\\Program Files\\hp LaserJet 1000\\fwdl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\FICHIE~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Fichiers communs\\InstallShield\\UpdateService\\issch.exe\" -start"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Heth"="\"C:\\DOCUME~1\\PROPRI~1\\APPLIC~1\\ECURIT~1\\dexplore.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{970D022E-A884-4D2A-BB4A-EBC22D2FEBD2}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{80440127-2315-4464-88B9-7ACB72F43ADB}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvstr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^hp center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\hp center.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Program\\BACKWE~1.EXE -startup"
"item"="hp center"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\autorun.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Rappel d'abonnement 1 auprŠs de l'ISP.job
C:\WINDOWS\tasks\Rappel d'abonnement 2 auprŠs de l'ISP.job
C:\WINDOWS\tasks\Rappel d'abonnement 3 auprŠs de l'ISP.job
C:\WINDOWS\tasks\Rappel d'enregistrement 1.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-30 10:11:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-30 10:12:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-30 10:12

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

+ Créé à: 11:56:11 2007-04-30

+ Résultat de l'analyse:

C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037589.exe -> Adware.PurityScan : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037590.dll -> Adware.PurityScan : Nettoyé.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yaywtur.dll.vir -> Adware.Virtumonde : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037642.dll -> Adware.Virtumonde : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037648.dll -> Adware.Virtumonde : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037588.exe -> Adware.WebHancer : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037584.exe -> Downloader.PurityScan.eh : Nettoyé.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\drivers\core.sys.vir -> Rootkit.Agent.eq : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037649.sys -> Rootkit.Agent.eq : Nettoyé.
C:\Documents and Settings\Propriétaire\Cookies\proprié[email protected][1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Nettoyé.
C:\Documents and Settings\Propriétaire\Cookies\proprié[email protected][1].txt -> TrackingCookie.Paypal : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037585.exe -> Trojan.Rond : Nettoyé.
C:\System Volume Information\_restore{429D30E1-2130-4270-A0B5-080F390EDFD0}\RP614\A0037586.exe -> Trojan.Small : Nettoyé.

Fin du rapport

#19
sarahw

Posted 02 May 2007 - 11:47 PM

Malware Staff

Member
2,781 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#20
handhfan

Posted 03 May 2007 - 03:02 PM

Trusted Helper

Expert
13,659 posts

Reopened at user's request.

#21
sarahw

Posted 04 May 2007 - 11:04 PM

Malware Staff

Member
2,781 posts

Hi annegab,
Once again, I'm really sorry about closing your log.
Could you please uninstall Freedom Anti-Virus, and the Zero Knowledge products, as they probably aren't working.
Could you please install AVG Anti Virus. (A free product)
Next, install Sunbelt Kerio Firewall. (A free product)
Follow the instructions on those sites on downloading and setting up those programs.

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode. In safe mode, run a scan with AVG Anti Virus.

Post a fresh Hijack This log when you have done this.

#22
annegab

Posted 05 May 2007 - 11:48 AM

Member

Topic Starter
Member
14 posts

Hello!

I uninstalled Freedom. I did the AVG scan. When I rebooted from safe mode, I received a prompt saying the firewall (the newly instaleld one) had encountered an error and had to close. My computer is still very slow but I haven't seen any pop ups lately.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 13:43:10, on 2007-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xijaadeg.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Heth] "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://74747415.spac...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

#23
sarahw

Posted 06 May 2007 - 02:11 AM

Malware Staff

Member
2,781 posts

Hi annegab,

I want you to uninstall Bar888 and Ipwins. Click Start, then Control Panel. Open Add/Remove programs, scroll down untill you find these entries, and Uninstall or Remove them.

Next, I need to see an uninstall list:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Rename Hijack This to HJT, you can do this by clicking on the filename under the icon, wait for 2 seconds, then click the text again. Then type HJT and press enter. I want to you create a startup log. This might help us identify the problems making your computer run slow.
Create a Startup List

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Click on the button "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

Could you tell me if that Firewall problem was a one off thing or if it is constantly happening. Post the Startup log, the uninstall list, and a normal HJT log in your next reply. :whistling:

Edited by sarahw, 06 May 2007 - 02:12 AM.

#24
annegab

Posted 06 May 2007 - 04:59 PM

Member

Topic Starter
Member
14 posts

Hi!

About the firewall issue, I don't shut down my computer very often so I can't say. I'll get back to you about it.

Again, thanks for your help!

Uninstall list: (mise à jour de sécurité is security update)

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Supprimer uniquement)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5 - Français
Apple Software Update
AVG 7.5
AVG Anti-Spyware 7.5
Barre d'outils MSN
Correctif Windows XP - KB834707
Correctif Windows XP - KB867282
Correctif Windows XP - KB873333
Correctif Windows XP - KB873339
Correctif Windows XP - KB885250
Correctif Windows XP - KB885835
Correctif Windows XP - KB885836
Correctif Windows XP - KB885884
Correctif Windows XP - KB886185
Correctif Windows XP - KB887472
Correctif Windows XP - KB887742
Correctif Windows XP - KB888113
Correctif Windows XP - KB888302
Correctif Windows XP - KB890047
Correctif Windows XP - KB890175
Correctif Windows XP - KB890859
Correctif Windows XP - KB890923
Correctif Windows XP - KB891781
Correctif Windows XP - KB893066
Correctif Windows XP - KB893086
DrawPlus 3.0
Encyclopédie Microsoft Encarta 2001
Gestionnaires d'impression HP inactifs (Supprimer uniquement)
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
hp center
hp LaserJet 1000
HP RecordNow
Inactive HP ScanJet Drivers (Remove only)
InterVideo WinDVD
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 9
Java™ SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
KBD
Lecteur Windows Media 11
LimeWire 4.10.9
Macromedia Flash Player
Macromedia Shockwave Player
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 99
Microsoft Office XP Media Content
Microsoft Office XP Standard
Microsoft Photorécit Plus! 2 LE
Microsoft Picture It! Express 10
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Works 6.0
Mise à jour de sécurité pour Lecteur Windows Media (KB911564)
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565)
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB917734)
Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398)
Mise à jour de sécurité pour Step by Step Interactive Training (KB898458)
Mise à jour de sécurité pour Step by Step Interactive Training (KB923723)
Mise à jour de sécurité pour Windows XP (KB883939)
Mise à jour de sécurité pour Windows XP (KB890046)
Mise à jour de sécurité pour Windows XP (KB893756)
Mise à jour de sécurité pour Windows XP (KB896358)
Mise à jour de sécurité pour Windows XP (KB896422)
Mise à jour de sécurité pour Windows XP (KB896423)
Mise à jour de sécurité pour Windows XP (KB896424)
Mise à jour de sécurité pour Windows XP (KB896428)
Mise à jour de sécurité pour Windows XP (KB896688)
Mise à jour de sécurité pour Windows XP (KB899587)
Mise à jour de sécurité pour Windows XP (KB899588)
Mise à jour de sécurité pour Windows XP (KB899591)
Mise à jour de sécurité pour Windows XP (KB900725)
Mise à jour de sécurité pour Windows XP (KB901017)
Mise à jour de sécurité pour Windows XP (KB901214)
Mise à jour de sécurité pour Windows XP (KB902400)
Mise à jour de sécurité pour Windows XP (KB903235)
Mise à jour de sécurité pour Windows XP (KB904706)
Mise à jour de sécurité pour Windows XP (KB905414)
Mise à jour de sécurité pour Windows XP (KB905749)
Mise à jour de sécurité pour Windows XP (KB905915)
Mise à jour de sécurité pour Windows XP (KB908519)
Mise à jour de sécurité pour Windows XP (KB908531)
Mise à jour de sécurité pour Windows XP (KB911562)
Mise à jour de sécurité pour Windows XP (KB911567)
Mise à jour de sécurité pour Windows XP (KB911927)
Mise à jour de sécurité pour Windows XP (KB912812)
Mise à jour de sécurité pour Windows XP (KB912919)
Mise à jour de sécurité pour Windows XP (KB913446)
Mise à jour de sécurité pour Windows XP (KB913580)
Mise à jour de sécurité pour Windows XP (KB914388)
Mise à jour de sécurité pour Windows XP (KB914389)
Mise à jour de sécurité pour Windows XP (KB916281)
Mise à jour de sécurité pour Windows XP (KB917159)
Mise à jour de sécurité pour Windows XP (KB917344)
Mise à jour de sécurité pour Windows XP (KB917422)
Mise à jour de sécurité pour Windows XP (KB917953)
Mise à jour de sécurité pour Windows XP (KB918118)
Mise à jour de sécurité pour Windows XP (KB918439)
Mise à jour de sécurité pour Windows XP (KB918899)
Mise à jour de sécurité pour Windows XP (KB919007)
Mise à jour de sécurité pour Windows XP (KB920213)
Mise à jour de sécurité pour Windows XP (KB920214)
Mise à jour de sécurité pour Windows XP (KB920670)
Mise à jour de sécurité pour Windows XP (KB920683)
Mise à jour de sécurité pour Windows XP (KB920685)
Mise à jour de sécurité pour Windows XP (KB921398)
Mise à jour de sécurité pour Windows XP (KB921883)
Mise à jour de sécurité pour Windows XP (KB922616)
Mise à jour de sécurité pour Windows XP (KB922760)
Mise à jour de sécurité pour Windows XP (KB922819)
Mise à jour de sécurité pour Windows XP (KB923191)
Mise à jour de sécurité pour Windows XP (KB923414)
Mise à jour de sécurité pour Windows XP (KB923689)
Mise à jour de sécurité pour Windows XP (KB923694)
Mise à jour de sécurité pour Windows XP (KB923980)
Mise à jour de sécurité pour Windows XP (KB924191)
Mise à jour de sécurité pour Windows XP (KB924270)
Mise à jour de sécurité pour Windows XP (KB924496)
Mise à jour de sécurité pour Windows XP (KB924667)
Mise à jour de sécurité pour Windows XP (KB925454)
Mise à jour de sécurité pour Windows XP (KB925486)
Mise à jour de sécurité pour Windows XP (KB925902)
Mise à jour de sécurité pour Windows XP (KB926255)
Mise à jour de sécurité pour Windows XP (KB926436)
Mise à jour de sécurité pour Windows XP (KB927779)
Mise à jour de sécurité pour Windows XP (KB927802)
Mise à jour de sécurité pour Windows XP (KB928090)
Mise à jour de sécurité pour Windows XP (KB928255)
Mise à jour de sécurité pour Windows XP (KB928843)
Mise à jour de sécurité pour Windows XP (KB929969)
Mise à jour de sécurité pour Windows XP (KB930178)
Mise à jour de sécurité pour Windows XP (KB931261)
Mise à jour de sécurité pour Windows XP (KB931784)
Mise à jour de sécurité pour Windows XP (KB932168)
Mise à jour pour Windows XP (KB894391)
Mise à jour pour Windows XP (KB896727)
Mise à jour pour Windows XP (KB898461)
Mise à jour pour Windows XP (KB900485)
Mise à jour pour Windows XP (KB910437)
Mise à jour pour Windows XP (KB911280)
Mise à jour pour Windows XP (KB916595)
Mise à jour pour Windows XP (KB920872)
Mise à jour pour Windows XP (KB922582)
Mise à jour pour Windows XP (KB929338)
Mise à jour pour Windows XP (KB931836)
Module d'extension Picture It! Album de Future Shop
Mon centre de photo
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
QuickTime
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
Sony USB Driver
Sunbelt Personal Firewall
Tcl 8.0.5 for Windows
The Print Shop
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 2

Startup:

StartupList report, 2007-05-06, 18:48:15
StartupList version: 1.52.2
Started from : C:\Program Files\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage]
Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe
PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PS2 = C:\WINDOWS\system32\ps2.exe
s3apphk = s3apphk.exe
hp 1000 firmware = C:\Program Files\hp LaserJet 1000\fwdl.exe
ISUSPM Startup = C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
ISUSScheduler = "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
hpsysdrv = c:\windows\system\hpsysdrv.exe
hp Silent Service = C:\Windows\system32\HpSrvUI.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
WindowsService = rundll32.exe "C:\WINDOWS\system32\xijaadeg.dll",realset
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
Heth = "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\wvuvstr.dll (file missing) - {80440127-2315-4464-88B9-7ACB72F43ADB}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\WINDOWS\system32\awtqp.dll - {A4860154-B9B3-4F8C-BB7E-D1746356B0D8}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - C:\WINDOWS\system32\danowggy.dll - {D651AFF4-9590-424d-BD1E-8E33E090DFB3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Rappel d'abonnement 1 auprès de l'ISP.job
Rappel d'abonnement 2 auprès de l'ISP.job
Rappel d'abonnement 3 auprès de l'ISP.job
Rappel d'enregistrement 1.job

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...kr.cab31267.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[AlternaTIFF ActiveX]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\alttiff.ocx
CODEBASE = http://www.alternati.../00/alttiff.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.ma...director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...er.cab31267.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://74747415.spac...ad/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1100374723461

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zon...ro.cab31267.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab56907.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zon...oF.cab31267.cab

[ZoneChess Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Chess.ocx
CODEBASE = http://messenger.zon...ss.cab31267.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 9 242 bytes
Report generated in 3,875 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Normal HJT:

Logfile of HijackThis v1.99.1
Scan saved at 18:56:42, on 2007-05-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\s3apphk.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {651F55E4-87D2-4FFC-AE8B-9B57B59356A1} - C:\WINDOWS\system32\wctjgikl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {80440127-2315-4464-88B9-7ACB72F43ADB} - C:\WINDOWS\system32\wvuvstr.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A4860154-B9B3-4F8C-BB7E-D1746356B0D8} - C:\WINDOWS\system32\awtqp.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\danowggy.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr-ca\msntb.dll
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [s3apphk] s3apphk.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xijaadeg.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Heth] "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://74747415.spac...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100374723461
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuvstr - wvuvstr.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Fichiers communs\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

#25
sarahw

Posted 07 May 2007 - 01:39 AM

Malware Staff

Member
2,781 posts

Hi annegab,
Some of the infections keep reappearing. I'm hoping this fix will stop them. Fingers crossed. :whistling:

1.
Please download and install:
IE-SpyAd
puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
and
SpywareBlaster
Great prevention tool to keep nasties from installing on your system.

Please go to UploadMalware to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread: http://www.geekstogo.com/forum/Click-to-find-fix-errors-icon-desktop-popups-t155708.html
Browse for this filename: C:\WINDOWS\system32\xijaadeg.dll
In the comments, please mention that I asked you to upload this file: SarahW
Click on Send File

2.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xijaadeg.dll",realset
O4 - HKCU\..\Run: [Heth] "C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe" -vt yazb

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

4. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\xijaadeg.dll
C:\DOCUME~1\PROPRI~1\APPLIC~1\ECURIT~1\dexplore.exe

When you are finished, please reboot the computer normally, and post a new HijackThis log here in a reply. Also, please let me know of any problems you may have encountered.

3.
Open VundoFix.exe

Open VundoFix.exe.
Right click the white box in the middle, and select add more files
Add the following files:
- C:\WINDOWS\system32\wctjgikl.dll
- C:\WINDOWS\system32\awtqp.dll
- C:\WINDOWS\system32\danowggy.dll
Click on the add files button
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

4.
Click Start, then Run, then type: services.msc
In this new window, click Action, then from the menu, select Export List.
Save it as something you will remember, to your desktop.
Post that log in your next reply.

5.
Post the Vundo log and a fresh Hijack This log in your next reply. Tell me how the computer is running. :blink: