Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't get rid of malware rdsndin.exe [RESOLVED]

Started by stism , Aug 04 2005 01:10 AM

  • This topic is locked This topic is locked

#1
stism
Posted 04 August 2005 - 01:10 AM

stism

    Member

  • Member
  • PipPip
  • 13 posts
Symptom: everytime I reboot my PC and launch IE, Netshield detects following virus: C:\WINNT\system32\rdsndin.exe Spy-Agent.i .. then "baloon" appears, with typo and finally PC performance becomes very slow and unusable
None of the half-dozen antispyware I am using get rid of these either.

I run W2K with SP4. IE 6
Looks like a lot of forum members have found similar issues. Not clear if and how they could get rid of these for good. Please help
StismAttached File  hijackthis_Aug04.txt   5.36KB   236 downloads

Edited by stism, 04 August 2005 - 03:25 AM.

  • 0

Advertisements

#2
Crustyoldbloke
Posted 04 August 2005 - 04:31 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Stism and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get under way, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. The bad news is that one of the infections is Wareout Root Kit, a real nasty, but it is fixable in four stages. Let’s see what we can do with the first sweep.

FIRST POST

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#3
stism
Posted 04 August 2005 - 04:54 AM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thx for your prompt answer. To answer your questions: Yes, this is a family PC used by several different individuals. Yes, I have administrator's right. Yes, I have already used Safe Mode. You mention WareOut, I thought I had completely got rid of it by fixing the registry 3 weeks ago. Looks like it is nastier than I thought.
I will let you when I have completed the first step lof the action plan ater today. And thanks again for your support
  • 0

#4
Crustyoldbloke
Posted 04 August 2005 - 05:09 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

When we have successfully removed Wareout, I shall want to see a HijackThis log for each PC user with their own logon (if they just use the PC, and you all use the same logon, then I shall not want to see any other).
  • 0

#5
stism
Posted 04 August 2005 - 09:57 AM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the content of Startup program:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"Yahoo! Pager" = "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet" [file not found]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"browsebar" = "321102.exe" [file not found]
"killall" = "ERTYDF.exe" [file not found]
"ActionScr" = "srbho.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Matrox Powerdesk" = "C:\WINNT\System32\PDesk.exe /Autolaunch" ["Matrox Graphics Inc."]
"MWProEng" = "C:\Program Files\MouseWarePro\MWProEng.exe" ["Logitech Inc."]
"HpMmKbd" = "HpMmKbd.exe" ["Hewlett-Packard Corp."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"ShStatEXE" = ""C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE" ["Network Associates Inc."]
"BearShare" = "J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"LoadQM" = "loadqm.exe" [MS]
"windows auto update" = (empty string)
"Microsoft Inet Xp.." = (empty string)
"CXMon" = ""D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"" ["Hewlett-Packard Company"]
"Share-to-Web Namespace Daemon" = "D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"CamMonitor" = "D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe" [empty string]
"QuickTime Task" = ""C:\program files\quicktime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"NeroCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"runload32" = "SysSupport.exe" [file not found]
"gcasServ" = ""C:\Program Files\Spyware Microsoft executable\gcasServ.exe"" [MS]
"hclean32.exe" = "C:\WINNT\system32\hclean32.exe" [null data]
"hgqhp.exe" = "C:\WINNT\system32\hgqhp.exe" [file not found]
"CreateCD50" = "C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02DCA195-602B-4B1F-83FF-381B7E804BDB}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\HDBHO.dll" [null data]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{DBE9EB93-FE98-4629-8534-5801A36864A7}" = "Nike psa[128max PlayerShell Hook"
-> {CLSID}\InProcServer32\(Default) = "psa128h.dll" ["Nike, Inc."]
"{EA588C8B-066E-4220-91D5-F921AA603DF4}" = "NOMAD MuVoShell Hook"
-> {CLSID}\InProcServer32\(Default) = "MuVoh.dll" ["Creative Technology Ltd."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Dossier de téléchargement Share-to-Web "
-> {CLSID}\InProcServer32\(Default) = "D:\HPPhotosmart720\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spyware Microsoft executable\shellextension.dll" [MS]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csjtw.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "I:\Chris documents\Photos\Photos Noel 01\vue de St Hilaire.jpg"


Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\Winzip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 08, 11 - 32
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

{F4FBA929-A891-492C-A0F6-5C79CC4F1742}\
"ButtonText" = "HiDownload"
"Exec" = "C:\PROGRA~1\HIDOWN~1\hidownload.exe" ["HiDownload Software"]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SAFESITE_VALUE="http://home.microsof...t.com/intl/fr/"

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
Network Associates Alert Manager, AlertManager, "C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, "C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE" ["Network Associates, Inc."]
Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 101 seconds, including 18 seconds for message boxes)
  • 0

#6
Crustyoldbloke
Posted 04 August 2005 - 10:03 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
SECOND POST

Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt

  • 0

#7
stism
Posted 04 August 2005 - 11:02 AM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It took 50' and a few errors ( in particular could not find strings in C://WINNT. I had it on the desktop as mentionned in your instructions) to get the following log file

C:\Documents and Settings\Administrateur\Bureau

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\dvdaudio.ax: UPX!
C:\WINNT\system32\ntfsnlpa.exe: UPX!
C:\WINNT\system32\msexnpfi.exe: UPX!
C:\WINNT\system32\FraunhoferAudio.ax: UPX!
C:\WINNT\system32\FraunhoferVideo.ax: UPX!
C:\WINNT\system32\msexnpbi.exe: FSG!

Files Found in all users startup Folder............
------------------------
C:\WINNT\system32\dvdaudio.ax: UPX!
C:\WINNT\system32\ntfsnlpa.exe: UPX!
C:\WINNT\system32\msexnpfi.exe: UPX!
C:\WINNT\system32\FraunhoferAudio.ax: UPX!
C:\WINNT\system32\FraunhoferVideo.ax: UPX!
C:\WINNT\system32\msexnpbi.exe: FSG!
Files Found in all users windows Folder............
------------------------
C:\WINNT\rem.exe: UPX!
C:\WINNT\reml.exe: UPX!
C:\WINNT\kkugpbjxjfa.exe: UPX!
Finished
bye
  • 0

#8
Crustyoldbloke
Posted 04 August 2005 - 11:26 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Don't worry, you're doing fine. This is the tricky bit, I just hope I haven't missed anything!

THIRD POST

• Please download the Killbox by Option^Explicit.* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINNT\system32\hclean32.exe
C:\WINNT\system32\HDBHO.dll
csjtw.exe
C:\WINNT\kkugpbjxjfa.exe
C:\WINNT\reml.exe
C:\WINNT\rem.exe
C:\WINNT\system32\msexnpbi.exe
C:\WINNT\system32\msexnpfi.exe
C:\WINNT\system32\ntfsnlpa.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.
After reboot, post a new HiJackThis log here.
  • 0

#9
stism
Posted 04 August 2005 - 11:45 AM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I have completed stage 3 , after reboot I do not find any of the files that were to be deleted

Edited by stism, 04 August 2005 - 11:45 AM.

  • 0

#10
Crustyoldbloke
Posted 04 August 2005 - 11:55 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
That is as it should be (en effet, parfait). The bad files are killed at reboot, therefore you should not be able to find them.

But I need a HijackThis log to analyse please.

Also, I noticed that there is a picture of St Hilaire on your PC. Is this the one close to St Jean du Monts in the Vendee?
  • 0

Advertisements

#11
stism
Posted 04 August 2005 - 12:36 PM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Please find herebelow the log file for the administrator's account. Do you need it for the 4 other user accounts on this PC? or just a sample of them?

Logfile of HijackThis v1.99.1
Scan saved at 20:19:53, on 04/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [browsebar] 321102.exe
O4 - HKCU\..\Run: [killall] ERTYDF.exe
O4 - HKCU\..\Run: [ActionScr] srbho.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O15 - Trusted Zone: http://www.boursorama.com
O15 - Trusted Zone: http://www.wanadoo.fr
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 69.50.xxxxxxx
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 69.50.xxx.xxxxx
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
  • 0

#12
Crustyoldbloke
Posted 04 August 2005 - 01:06 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
We must first of all ensure that the root kit is dead before proceeding further with the other users. Please complete the next stage and then I will look at the other users.

FOURTH POST

Make sure you are disconnected from the Internet and that all programmes and windows are closed. Run HiJackThis. Place a check mark or tick next to the following items and click FIX CHECKED:

O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 69.50.xxxxxxx
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 69.50.xxx.xxxxx
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5

Close HiJackThis.

Now lets check some settings on your system.
  • Go to Start > Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties.
  • Click the Networking tab.
  • Double-Click on the Internet Protocol (TCP/IP) item.
  • Select the radio dial that says Obtain DNS Servers Automatically.
  • Press OK twice to get out of the properties screen and reboot if it asks.
Make sure to reboot and post back a new HiJackThis log into this topic.
  • 0

#13
stism
Posted 04 August 2005 - 03:45 PM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I followed the various steps (except the DNS, I had to enter the addresses provided by my Internet Access Provider) and here is the result for the Administrator's account:
=================================================
Logfile of HijackThis v1.99.1
Scan saved at 23:29:22, on 04/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [browsebar] 321102.exe
O4 - HKCU\..\Run: [killall] ERTYDF.exe
O4 - HKCU\..\Run: [ActionScr] srbho.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O15 - Trusted Zone: http://www.boursorama.com
O15 - Trusted Zone: http://www.wanadoo.fr
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
  • 0

#14
stism
Posted 04 August 2005 - 05:16 PM

stism

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Please find below the HJT logs for the other PC users. some clean up is necessary, I notice some remainings of about:blank which hit us a year ago
====================================
user2:
Logfile of HijackThis v1.99.1
Scan saved at 00:46:20, on 05/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
====================================================
user3:

Logfile of HijackThis v1.99.1
Scan saved at 00:48:21, on 05/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...iteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...iteyouneed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HJT\HijackThis.exe /startupscan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
===================================================
user4:
Logfile of HijackThis v1.99.1
Scan saved at 00:51:32, on 05/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
===================================================
user5:
Logfile of HijackThis v1.99.1
Scan saved at 00:56:05, on 05/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ELÉ\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PowerProf] PowerProf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
=====================================================
user6:
Logfile of HijackThis v1.99.1
Scan saved at 00:59:47, on 05/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Hp_Info\Default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BearShare] J:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /m
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CXMon] "D:\HPPhotosmart720\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\HPPhotosmart720\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\HPPhotosmart720\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Spyware Microsoft executable\gcasServ.exe"
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{9138EA5E-EA80-47D4-BFD1-034D09F39D12}: NameServer = 193.252.19.3,193.252.19.4
O23 - Service: Network Associates Alert Manager (AlertManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\AMGRSRVC.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\NetShield NT\MCSHIELD.EXE
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\PROGRA~1\NETWOR~1\NETSHI~1\VSTSKMGR.EXE
  • 0

#15
Crustyoldbloke
Posted 04 August 2005 - 05:26 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

It looks as though Wareout RK is still present. I can not think of any reason other than Microsoft Antispyware being responsible for restoring previous registry settings and adjusting them accordingly.

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {39D8849D-9854-428A-8F41-AF939B6AB8F9} - (no file)
O4 - HKLM\..\Run: [runload32] SysSupport.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\system32\hclean32.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKCU\..\Run: [browsebar] 321102.exe
O4 - HKCU\..\Run: [killall] ERTYDF.exe
O4 - HKCU\..\Run: [ActionScr] srbho.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

SysSupport.exe
C:\WINNT\system32\hclean32.exe
C:\WINNT\system32\hgqhp.exe
321102.exe
ERTYDF.exe
srbho.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log for this user and I will take another look.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP