Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Redirect Virus Hijackthis here

Started by jmich , Feb 08 2009 11:22 AM

  • Please log in to reply

#1
jmich
Posted 08 February 2009 - 11:22 AM

jmich

    New Member

  • Member
  • Pip
  • 2 posts
I have format yesterday but it look like I install the Redirect virus with my program :) I know which one but i can't keep it unstall thanks for help :)

I have spybot ,avast and hijack this on my computer and before I format all my computer , ALOT of iexplore.exe was active on my computer at the same time , taking all my cpu memory (sorry for my english ) . there is the HJT :




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:15, on 2009-02-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\WINXP\system32\RunDll32.exe
C:\WINXP\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINXP\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: D - {F5FAEAAB-B977-34B3-A3FE-7A212C44D21D} - C:\WINXP\system32\gl88048.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-21-1631483155-2544304349-1075719637-500\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe (User 'Administrateur')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1234077159234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe

--
End of file - 6450 bytes

Edited by jmich, 08 February 2009 - 11:24 AM.

  • 0

Advertisements

#2
jmich
Posted 08 February 2009 - 03:22 PM

jmich

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
no one can help me please ?

these is my combo fix report :

ComboFix 09-02-08.01 - Maison 2009-02-08 16:25:28.1 - FAT32x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.3326.2854 [GMT -5:00]
Lancé depuis: d:\mes documents\Bureau\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 081110-1] *On-access scanning disabled* (Outdated)
* Un nouveau point de restauration a été créé

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

((((((((((((((((((((((((((((( Fichiers créés du 2009-01-08 au 2009-02-08 ))))))))))))))))))))))))))))))))))))
.

2009-02-08 12:13 . 2009-02-08 12:13 <REP> d-------- c:\winxp\Sun
2009-02-08 12:04 . 2009-02-08 12:04 <REP> d-------- c:\program files\Trend Micro
2009-02-08 11:53 . 2009-02-08 11:53 <REP> d-------- c:\program files\Spybot - Search & Destroy
2009-02-08 11:53 . 2009-02-08 11:53 <REP> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 03:21 . 2009-02-08 03:21 <REP> d-------- c:\program files\uTorrent
2009-02-08 03:20 . 2009-02-08 03:20 <REP> d-------- c:\documents and settings\Maison\Application Data\uTorrent
2009-02-08 03:01 . 2009-02-08 03:01 178,688 --a------ c:\program files\KB38864.exe
2009-02-08 03:01 . 2009-02-08 03:01 172,032 --a------ c:\winxp\system32\gl88048.dll
2009-02-08 02:56 . 2008-10-16 14:06 268,648 --a------ c:\winxp\system32\mucltui.dll
2009-02-08 02:56 . 2008-10-16 14:06 208,744 --a------ c:\winxp\system32\muweb.dll
2009-02-08 02:56 . 2008-10-16 14:06 27,496 --a------ c:\winxp\system32\mucltui.dll.mui
2009-02-08 02:54 . 1998-10-29 16:45 306,688 --a------ c:\winxp\IsUninst.exe
2009-02-08 02:47 . 2009-02-08 02:47 <REP> d-------- c:\documents and settings\Maison\Application Data\Autodesk
2009-02-08 02:46 . 2009-02-08 02:46 <REP> d-------- c:\program files\Fichiers communs\Macrovision Shared
2009-02-08 02:46 . 2009-02-08 02:46 <REP> d-------- c:\program files\Fichiers communs\Autodesk Shared
2009-02-08 02:46 . 2009-02-08 02:46 <REP> d-------- c:\program files\Autodesk
2009-02-08 02:46 . 2009-02-08 02:46 <REP> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-08 02:46 . 2009-02-08 02:46 <REP> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2009-02-08 02:45 . 2009-02-08 02:45 <REP> d-------- C:\Autodesk
2009-02-08 02:45 . 2009-02-08 02:45 56,210,584 --a------ c:\winxp\system32\xa2381281.exe
2009-02-08 02:45 . 2009-02-08 02:45 56,210,584 --a------ c:\winxp\system32\xa2378750.exe
2009-02-08 02:45 . 2009-02-08 02:45 172,032 --a------ c:\winxp\system32\xwr88167.dll
2009-02-08 02:45 . 2009-02-08 02:45 172,032 --a------ c:\winxp\system32\wr88167.dll
2009-02-08 02:43 . 2009-02-08 02:43 <REP> d-------- c:\program files\VLC
2009-02-08 02:43 . 2009-02-08 02:43 <REP> d-------- c:\program files\Red Eye Remover Pro
2009-02-08 02:16 . 2009-02-08 02:16 <REP> d-------- c:\program files\Windows Live
2009-02-08 02:16 . 2009-02-08 02:16 <REP> d--hs---- c:\program files\Fichiers communs\WindowsLiveInstaller
2009-02-08 02:16 . 2009-02-08 02:16 <REP> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2009-02-08 02:12 . 2009-02-08 02:12 <REP> d-------- c:\winxp\LastGood
2009-02-08 02:12 . 2009-02-08 02:12 410,984 --a------ c:\winxp\system32\deploytk.dll
2009-02-08 02:12 . 2009-02-08 02:12 73,728 --a------ c:\winxp\system32\javacpl.cpl
2009-02-08 02:09 . 2009-02-08 02:09 <REP> d-------- c:\documents and settings\Maison\Contacts
2009-02-08 02:07 . 2009-02-08 02:07 <REP> d--hs---- C:\Recycled
2009-02-08 02:07 . 2004-08-04 00:54 21,504 --a------ c:\winxp\system32\hidserv.dll
2009-02-08 02:07 . 2004-08-04 00:54 21,504 --a------ c:\winxp\system32\dllcache\hidserv.dll
2009-02-08 02:07 . 2004-08-04 00:45 14,848 --a------ c:\winxp\system32\drivers\kbdhid.sys
2009-02-08 02:07 . 2004-08-04 00:45 14,848 --a------ c:\winxp\system32\dllcache\kbdhid.sys
2009-02-08 02:07 . 2001-08-23 17:04 12,288 --a------ c:\winxp\system32\drivers\mouhid.sys
2009-02-08 02:07 . 2001-08-23 17:04 12,288 --a------ c:\winxp\system32\dllcache\mouhid.sys
2009-02-08 02:07 . 2001-08-17 22:02 9,600 --a------ c:\winxp\system32\drivers\hidusb.sys
2009-02-08 02:07 . 2001-08-17 22:02 9,600 --a------ c:\winxp\system32\dllcache\hidusb.sys
2009-02-08 02:06 . 2004-08-03 23:08 31,616 --a------ c:\winxp\system32\drivers\usbccgp.sys
2009-02-08 02:06 . 2004-08-03 23:08 31,616 --a------ c:\winxp\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-03-11 18:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5FAEAAB-B977-34B3-A3FE-7A212C44D21D}]
2009-02-08 03:01 172032 --a------ c:\winxp\system32\gl88048.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-04-06 1298542]
"NeroFilterCheck"="c:\winxp\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\winxp\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\winxp\system32\NvMcTray.dll" [2007-12-05 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2007-12-05 c:\winxp\system32\nwiz.exe]
"Raccourci vers la page des propriétés de High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 c:\winxp\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\winxp\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winxp\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Adobe Gamma Loader.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2009-02-08 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\winxp\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\winxp\system32\drivers\aswFsBlk.sys [2008-07-19 20560]
R3 cmudax;C-Media High Definition Audio Interface;c:\winxp\system32\drivers\cmudax.sys [2005-05-12 1287296]
S2 AtiBt829;ATI WDM Bt829 Video (Microsoft);c:\winxp\system32\drivers\ati1btxx.sys [2004-08-03 56623]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - APPMGMT
*NewlyCreated* - FLEXNET_LICENSING_SERVICE
*NewlyCreated* - HIDSERV
*NewlyCreated* - HTTPFILTER
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - WLSETUPSVC
*NewlyCreated* - WMIAPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7d3b7c1-aebd-11db-a5ff-806d6172696f}]
\Shell\AutoRun\command - e:\autorun\Demo.exe
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 16:26:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
Heure de fin: 2009-02-08 16:27:08
ComboFix-quarantined-files.txt 2009-02-08 21:27:08

Avant-CF: 15 021 260 800 octets libres
Après-CF: 15,042,445,312 octets libres

135 --- E O F --- 2008-11-10 14:20:33

Edited by jmich, 08 February 2009 - 03:29 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP