hi therock247uk,
thanks for your fast reply and your help.
I've done what you said. and i post the hijack new log.
I've also run MWAV (i saw on another post that it gives good scanning features) and it found 3 threads : alexa, AltNet, SrchAsst. I post a partial log.
Spybot and Ad-Aware tell there are nothing malicious....
More over when i want to disable the RPC service, all the function are in gray and i cant stop it, or define an manual start.
This is not good i think. My Pc suffer some sporadic problems from before the trojan.
-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:23:13, on 06/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\WIDCOMM\Logiciel Bluetooth\BTTray.exe
D:\PROGRA~1\WIDCOMM\LOGICI~1\BTSTAC~1.EXE
D:\WINDOWS\system32\drivers\CDAC11BA.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\notepad.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.fr/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PRONoMgr.exe] D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {5DDCC37F-7C6B-48B8-9664-97C537920CA0} (aecviz Class) -
http://www.maisonphe...om/npaecviz.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1107811824750O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
http://www.windowsec...scan/axscan.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...506/mcfscan.cabO23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - D:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
----------------------------------------------------
MWAV partial log
-----------------------------------------------
Mon Jun 06 18:07:57 2005 => **********************************************************
Mon Jun 06 18:07:57 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
Mon Jun 06 18:07:57 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Mon Jun 06 18:07:57 2005 => **********************************************************
Mon Jun 06 18:07:57 2005 => Version 6.2.9 (D:\DOCUME~1\exodus\LOCALS~1\Temp\mwavscan.com)
Mon Jun 06 18:07:57 2005 => Log File: D:\DOCUME~1\exodus\LOCALS~1\Temp\MWAV.LOG
Mon Jun 06 18:07:57 2005 => Last Scan Date and Time: 05.06.2005 20:21:35
Mon Jun 06 18:07:57 2005 => MWAV Registered: FALSE.
Mon Jun 06 18:07:57 2005 => MWAV Mode: Only Scan files.
Mon Jun 06 18:07:57 2005 => Database Path in KL Key: D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus
Personal\5.0\bases.
Mon Jun 06 18:07:57 2005 => Latest Date of files in KL key: 06 Jun 2005 16:41:12.
Mon Jun 06 18:07:57 2005 => Latest Date of files inside MWAV: 29 May 2005 13:10:21.
Mon Jun 06 18:07:59 2005 => AV Library Loaded...
Mon Jun 06 18:07:59 2005 => MWAV doing self scanning...
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\kavss.exe
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\Getvlist.exe
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\kavss.dll
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\kavssdi.dll
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\kavssi.dll
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\kavvlg.dll
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\msvlclnt.dll
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\ipc.dll
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\main.avi
Mon Jun 06 18:07:59 2005 => Scanning File D:\DOCUME~1\exodus\LOCALS~1\Temp\virus.avi
Mon Jun 06 18:07:59 2005 => MWAV files are clean.
Mon Jun 06 18:08:02 2005 => Virus Database Date: 2005/06/06
Mon Jun 06 18:08:02 2005 => Virus Database Count: 125308
Mon Jun 06 18:08:24 2005 => **********************************************************
Mon Jun 06 18:08:24 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
Mon Jun 06 18:08:24 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Mon Jun 06 18:08:24 2005 =>
Mon Jun 06 18:08:24 2005 => Support:
[email protected]Mon Jun 06 18:08:24 2005 => Web:
http://www.mwti.netMon Jun 06 18:08:24 2005 => **********************************************************
Mon Jun 06 18:08:24 2005 => Version 6.2.9 (D:\DOCUME~1\exodus\LOCALS~1\Temp\mwavscan.com)
Mon Jun 06 18:08:24 2005 => Log File: D:\DOCUME~1\exodus\LOCALS~1\Temp\MWAV.LOG
Mon Jun 06 18:08:24 2005 => User Account: exodus
Mon Jun 06 18:08:24 2005 => Windows Root Folder: D:\WINDOWS
Mon Jun 06 18:08:24 2005 => Windows Sys32 Folder: D:\WINDOWS\System32
Mon Jun 06 18:08:24 2005 => OS: Windows NT
Mon Jun 06 18:08:24 2005 => Database Path in KL Key: D:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus
Personal\5.0\bases.
Mon Jun 06 18:08:24 2005 => Latest Date of files in KL key: 06 Jun 2005 16:41:12.
Mon Jun 06 18:08:24 2005 => Latest Date of files inside MWAV: 29 May 2005 13:10:21.
Mon Jun 06 18:08:24 2005 => Options Selected by User:
Mon Jun 06 18:08:24 2005 => Memory Check: Enabled
Mon Jun 06 18:08:24 2005 => Registry Check: Enabled
Mon Jun 06 18:08:24 2005 => StartUp Folder Check: Enabled
Mon Jun 06 18:08:24 2005 => System Folder Check: Enabled
Mon Jun 06 18:08:24 2005 => System Area Check: Disabled
Mon Jun 06 18:08:24 2005 => Services Check: Enabled
Mon Jun 06 18:08:24 2005 => Drive Check: Enabled
Mon Jun 06 18:08:24 2005 => All Drive Check :Disabled
Mon Jun 06 18:08:24 2005 => Drive Selected = C:\
Mon Jun 06 18:08:24 2005 => Folder Check: Disabled
////////////////////
Mon Jun 06 18:08:45 2005 => *** File D:\WINDOWS\System32\nvcpl.dll having Size Restriction ***. Filesize 4508 kb > 3072 kb...
Mon Jun 06 18:08:45 2005 => Scanning File D:\WINDOWS\System32\nvcpl.dll [**]
Mon Jun 06 18:08:45 2005 => *** File D:\WINDOWS\System32\nvcpl.dll having Size Restriction ***. Filesize 4508 kb > 3072 kb...
Mon Jun 06 18:08:45 2005 => Scanning File D:\WINDOWS\System32\nvcpl.dll [**]
//////////////////
Mon Jun 06 18:08:45 2005 => ERROR!!! Invalid Entry {596AB062-B4D2-4215-9F74-E9109B0A8153} = D:\WINDOWS\System32\twext.dll (in key
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken.
Mon Jun 06 18:08:45 2005 => ERROR!!! Invalid Entry {9DB7A13C-F208-4981-8353-73CC61AE2783} = D:\WINDOWS\System32\twext.dll (in key
SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken.
///////////////////
Mon Jun 06 18:08:56 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Mon Jun 06 18:09:03 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No
Action Taken.
Mon Jun 06 18:09:03 2005 => Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Mon Jun 06 18:09:04 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Mon Jun 06 18:09:04 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Mon Jun 06 18:09:04 2005 => Offending value found in HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\SearchAssistant !!!
Mon Jun 06 18:09:04 2005 => Object "SrchAsst Spyware/Adware" found in File System! Action Taken: No Action Taken.
---------------------------------
THANKS A LOT FOR YOUR HELP AND YOUR KNOWLEDGE