Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FRUSTRATED


  • Please log in to reply

#1
souz72

souz72

    New Member

  • Member
  • Pip
  • 8 posts
To Anyone and Everyone Who May be of Assistance,

I have been dealing with a trojan horse virus, or several, cleverly disguised for over a month now and it's getting worse.

The message at the boot-up of my cable connected laptop tells me that there is a problem finding the "p2esocks.dll" extension.

I have no idea what this means, and my laptop is shutting down many times a day at this point.

I have cleared much of the memory, followed the instructions listed on this site, ran Spybot, as well as House Call.

Upon the onset of the House Call scan, I rec'd the message:
"House Call has found and cleaned a malware. WORM_DOOMHUNTR.A TROJ_WINTRIM.W"

However, this was not put in the log.

The scan log lists 18 non-cleanable infected files.

Here is the result of the log:

TROJ REVOP.F C:\WINNT\system32\ll_hpm.exe
TROJ REVOP.F C:\WINNT\system32\playd.exe
TROJ REVOP.F C:\WINNT\system32\astopenf.exe
TROJ REVOP.F C:\WINNT\system32\nmddm.exe
TROJ REVOP.F C:\WINNT\system32\H ActiveXH...
TROJ REVOP.F C:\WINNT\system32\frgresd.exe
TROJ REVOP.F C:\WINNT\system32\asctrsr.exe
TROJ REVOP.F C:\WINNT\system32\XBLCFGL...
TROJ REVOP.F C:\WINNT\system32\3CODECAL...
TROJ REVOP.F C:\WINNT\system32\s2o.exe "CANNOT ACCESS NOTED"
TROJ REVOP.F C:\WINNT\system32\sacm32m.e...
TROJ MSLAGENT.A C:\WINNT\system32\msklive.dll
TROJ REVOP.F C:\WINNT\system32\EYBOARD...
TROJ REVOP.F C:\WINNT\system32\BAXFRC.exe
TROJ REVOP.F C:\WINNT\system32\sclestip.exe
TROJ WINTRIM.CD C:\WINNT\tmlpmg.exe
TROJ BISPY.A C:\WINNT\prelnsBI.exe
TROJ REVOP.F C:\WINNT\actulice.exe

I deleted all files, except for the one listed as "CANNOT ACCESS", as apparently was in use, although I have no idea where or why.

This is the result of the Hijack This scan, done after the House Call scan:

Logfile of HijackThis v1.99.0
Scan saved at 14:50:17, on 09/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
C:\WINNT\system32\desktop.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\internat.exe
C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Weatherscope\Weatherscope.exe
C:\WINNT\system32\s2o.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lee\Bureau\PROGRAMS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.fra.chel...url=home&src=ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par chello broadband n.v.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.chello.fr:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NsUpdate] C:\WINNT\NsUpdate.exe UPDATE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [cryptsysx] C:\WINNT\system32\datacrypt.exe %srun%
O4 - HKLM\..\Run: [desktop] C:\WINNT\system32\desktop.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [s2o] C:\WINNT\system32\s2o.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1030.dll,InstantAccess
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Weatherscope.lnk = C:\Program Files\Weatherscope\Weatherscope.exe
O4 - Global Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.fra.chello.fr/ssi/welcome/welcome.php?url=home&src=ie
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...aries/IA/ia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...upldr-2k-xp.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...netslv32_FR.cab
O23 - Service: Avertissement - Unknown - C:\WINNT\System32\services.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLACSD.EXE
O23 - Service: Gestion d'applications - Unknown - C:\WINNT\system32\services.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Explorateur d'ordinateur - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DHCP - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gestionnaire de disque logique - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DNS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Journal des événements - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Service de télécopie - Unknown - C:\WINNT\system32\faxsvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Serveur - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Station de travail - Unknown - C:\WINNT\System32\services.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Service d'application d'assistance TCP/IP NetBIOS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Affichage des messages - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINNT\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: Ouverture de session réseau - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Fournisseur de la prise en charge de sécurité LM NT - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Agent de stratégie IPSEC - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Emplacement protégé - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire de comptes de sécurité - Unknown - C:\WINNT\system32\lsass.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Planificateur de tâches - Unknown - C:\WINNT\system32\MSTask.exe
O23 - Service: Service d'exécution par délégation - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINNT\system32\tlntsvr.exe
O23 - Service: Client de suivi de lien distribué - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire d'utilitaires - Unknown - C:\WINNT\System32\UtilMan.exe
O23 - Service: Horloge Windows - Unknown - C:\WINNT\System32\services.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Infrastructure de gestion Windows - Unknown - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Extensions du pilote WMI - Unknown - C:\WINNT\system32\Services.exe


If anyone can please let me know what to do next, I would greatly appreciate the assistance.

Please send a copy of the response to my hotmail address listed below as well.


Merci,

Suzanne.
laboite_sl@hotmail.com
  • 0

Advertisements


#2
souz72

souz72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Quick note...

After having sent off the previous message, I found the file which could not be accessed, and deleted it in the registry panel.

I also found the p2esocks.dll extension under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run

I deleted the file: "Instant Access"=rundll32.exepsocks_1021.dll, Instant Access.

In the event that there is more to do in order to fully exterminate this [bleep], please let me know asap!


Merci encore une fois,

Suzanne.
laboite_sl@hotmail.com
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - SOFTWARE - (no file)

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll

O4 - HKLM\..\Run: [NsUpdate] C:\WINNT\NsUpdate.exe UPDATE

O4 - HKLM\..\Run: [cryptsysx] C:\WINNT\system32\datacrypt.exe %srun%
O4 - HKLM\..\Run: [desktop] C:\WINNT\system32\desktop.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

O4 - HKLM\..\Run: [s2o] C:\WINNT\system32\s2o.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1030.dll,InstantAccess
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...aries/IA/ia.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx

Reboot into safe mode and delete:
C:\Program Files\Date Manager <= entire folder
C:\Program Files\IEMenuExtension <= entire folder

Please read:
http://www.f-secure..../sdbot_md.shtml

Regards,

Pieter
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Suzanne,

I was glad to get your message that you were successful. :tazz:

Do post back with a new log however, so we can check.

Regards,

Pieter
  • 0

#5
souz72

souz72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Dear Pieter,

Here is the updated log via Hijack This:

Logfile of HijackThis v1.99.0
Scan saved at 23:58:24, on 09/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\internat.exe
C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\Weatherscope\Weatherscope.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\sidlpmm.exe
C:\Documents and Settings\Lee\Bureau\PROGRAMS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.fra.chel...url=home&src=ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par chello broadband n.v.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.chello.fr:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [sidlpmm] C:\WINNT\system32\sidlpmm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Weatherscope.lnk = C:\Program Files\Weatherscope\Weatherscope.exe
O4 - Global Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.fra.chello.fr/ssi/welcome/welcome.php?url=home&src=ie
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...upldr-2k-xp.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...netslv32_FR.cab
O23 - Service: Avertissement - Unknown - C:\WINNT\System32\services.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLACSD.EXE
O23 - Service: Gestion d'applications - Unknown - C:\WINNT\system32\services.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Explorateur d'ordinateur - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DHCP - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gestionnaire de disque logique - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DNS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Journal des événements - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Service de télécopie - Unknown - C:\WINNT\system32\faxsvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Serveur - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Station de travail - Unknown - C:\WINNT\System32\services.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Service d'application d'assistance TCP/IP NetBIOS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Affichage des messages - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINNT\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: Ouverture de session réseau - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Fournisseur de la prise en charge de sécurité LM NT - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Agent de stratégie IPSEC - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Emplacement protégé - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire de comptes de sécurité - Unknown - C:\WINNT\system32\lsass.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Planificateur de tâches - Unknown - C:\WINNT\system32\MSTask.exe
O23 - Service: Service d'exécution par délégation - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINNT\system32\tlntsvr.exe
O23 - Service: Client de suivi de lien distribué - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire d'utilitaires - Unknown - C:\WINNT\System32\UtilMan.exe
O23 - Service: Horloge Windows - Unknown - C:\WINNT\System32\services.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Infrastructure de gestion Windows - Unknown - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Extensions du pilote WMI - Unknown - C:\WINNT\system32\Services.exe


Please confirm that I have taken all necessary measures to eliminate the virus/virae from my system.


Merci,

Suzanne.
laboite_sl@hotmail.com
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
I think there is one more to take care of.

In HijackThis click Config > Misc Tools > delete a file on reboot and choose:
C:\WINNT\system32\sidlpmm.exe

Reboot when prompted and fix this entry:
O4 - HKLM\..\Run: [sidlpmm] C:\WINNT\system32\sidlpmm.exe

Let me know if it has changed to someting else.

Regards,

Pieter
  • 0

#7
souz72

souz72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Pieter,

sidlpmm.exe is not listed under the system 32 dir.

anything else i can to do verify?

Merci,

Suzanne.
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Be sure you're able to view hidden and system files: http://www.xtra.co.n...1916458,00.html
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP