Dear all,
First of all, I'd like to thank whoever will be able to help me, and also the mods and helpers on this site. I've been here on the past to gather information, and it is a great site.
So, here's the story. My antivirus (avast) alerted me a couple of days ago that a number of viruses and trojans were trying to penetrate my computer; some of them succeeded. I ran avast, as well as my antispyare programmes (CCleaner, Ad-Aware, and Spybot). It helped me eliminate a dozen malwares, but I keep having this window poping up telling me "Warning! Potential Spyware Operation! Your Computer is making..... Click YES to download spyware remover" (I refuse). It appears ever 5 minutes or so. Moreover, I completely lost access to the registry, control panel, and alt-ctrl-delete functions (I downloaded Vilma, but the files reappear each time I restart the PC). Also, I have the feeling that some files are suspect (timoty.exe, etc.).
So, I came here and followed your instructions. It found me a few spywares (like spools.exe), but the issue remains: I receive the same pop-up, which tells me that there are still issues on my computer. So, I would be so happy if somebody could tell me where the problem lies! Thank you so much in advance!
Bitdefender
BitDefender Online Scanner - Real Time Virus Report
Generated at: Sat, Nov 24, 2007 - 22:51:29
--------------------------------------------------------------------------------
Scan Info
Scanned Files
257278
Infected Files
1
Virus Detected
Trojan.Crypt.AB
1
--------------------------------------------------------------------------------
This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.
SUPERAntispyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/25/2007 at 00:05 AM
Application Version : 3.9.1008
Core Rules Database Version : 3349
Trace Rules Database Version: 1349
Scan type : Complete Scan
Total Scan Time : 01:08:19
Memory items scanned : 517
Memory threats detected : 1
Registry items scanned : 5197
Registry threats detected : 1
File items scanned : 43753
File threats detected : 27
Worm.Rbot-LD
C:\WINDOWS\SYSTEM32\SPOOLS.EXE
C:\WINDOWS\SYSTEM32\SPOOLS.EXE
[dumprep] C:\WINDOWS\SYSTEM32\SPOOLS.EXE
C:\WINDOWS\Prefetch\SPOOLS.EXE-26BA5B7B.pf
Adware.Tracking Cookie
C:\Documents and Settings\michael\Cookies\michael@ad1.emediate[2].txt
C:\Documents and Settings\michael\Cookies\michael@a[1].txt
C:\Documents and Settings\michael\Cookies\michael@msnportal.112.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@adbrite[2].txt
C:\Documents and Settings\michael\Cookies\michael@0-www.sciencedirect.com.serlib0.essex.ac[1].txt
C:\Documents and Settings\michael\Cookies\michael@weborama[1].txt
C:\Documents and Settings\michael\Cookies\michael@xiti[1].txt
C:\Documents and Settings\michael\Cookies\michael@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@ads.prospect[1].txt
C:\Documents and Settings\michael\Cookies\michael@revsci[1].txt
C:\Documents and Settings\michael\Cookies\michael@nhl.112.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@cgi-bin[2].txt
C:\Documents and Settings\michael\Cookies\michael@adopt.euroclick[2].txt
C:\Documents and Settings\michael\Cookies\michael@adserver.mediarun[1].txt
C:\Documents and Settings\michael\Cookies\michael@serving-sys[2].txt
C:\Documents and Settings\michael\Cookies\michael@smartadserver[1].txt
C:\Documents and Settings\michael\Cookies\michael@tribalfusion[1].txt
C:\Documents and Settings\michael\Cookies\michael@tacoda[1].txt
C:\Documents and Settings\michael\Cookies\michael@4.adbrite[1].txt
C:\Documents and Settings\michael\Cookies\michael@questionmarket[1].txt
C:\Documents and Settings\michael\Cookies\michael@com.serlib0.essex.ac[2].txt
C:\Documents and Settings\michael\Cookies\michael@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\michael\Cookies\michael@bs.serving-sys[2].txt
C:\Documents and Settings\michael\Cookies\michael@metacafe.122.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@ads.canalblog[1].txt
AVG Anti-spyware
---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------
+ Créé à: 00:25:21 24.11.2007
+ Résultat de l'analyse:
C:\WINDOWS\devadwp.exe -> Downloader.Wixud.j : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@247realmedia[1].txt -> TrackingCookie.247realmedia : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@4.adbrite[2].txt -> TrackingCookie.Adbrite : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@adbrite[2].txt -> TrackingCookie.Adbrite : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@overture[1].txt -> TrackingCookie.Overture : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@questionmarket[2].txt -> TrackingCookie.Questionmarket : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@revsci[2].txt -> TrackingCookie.Revsci : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@serving-sys[1].txt -> TrackingCookie.Serving-sys : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@tacoda[1].txt -> TrackingCookie.Tacoda : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@weborama[1].txt -> TrackingCookie.Weborama : Aucune action entreprise.
Fin du rapport
HighJackThis
Logfile of HijackThis v1.99.1
Scan saved at 00:45:08, on 25.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\msanton.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\Program Files\Norman \NPF\NPFMSG.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Norman \NPF\NPFSVICE.EXE
C:\Program Files\Dell\Logiciel Bluetooth\btsendto_explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Highjack\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1
\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers
communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program
Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: setings.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0
\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN
Client\vpngui.exe
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3
\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-
00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-
9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%
\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-
9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1
\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer =
192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1
\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4
\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-
Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel
Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program
Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program
Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program
Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program
Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman \NPF\NPFSVICE.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Full Version: Trojans that won't go...
Hi mic,
Unfortunately, you have several very dangerous infections, one of which is called Worm.Rbot-LD, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
The following articles may be of assistance in your decision:
askey127
Unfortunately, you have several very dangerous infections, one of which is called Worm.Rbot-LD, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
- Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
- Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
- From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
- Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
The following articles may be of assistance in your decision:
- Danger: Remote Access Trojans.
- When should I re-format? How should I reinstall?
- How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?
askey127
QUOTE(askey127 @ Dec 2 2007, 12:03 PM) 
Hi mic,
Unfortunately, you have several very dangerous infections, one of which is called Worm.Rbot-LD, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
The following articles may be of assistance in your decision:
askey127
Unfortunately, you have several very dangerous infections, one of which is called Worm.Rbot-LD, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
- Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
- Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
- From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
- Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
The following articles may be of assistance in your decision:
- Danger: Remote Access Trojans.
- When should I re-format? How should I reinstall?
- How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?
askey127
Hello askey127,
I would gladly accept your help on this matter!
mic
mic,
-----------------------------------------------------------
You have two antivirus programs on your PC at the same time. They will conflict with each other and cause system instability and/or improper AntiVirus protection. Choose to keep just one: either the Avast or Norman Antivirus, and Uninstall the other, Using Start, Control Panel, Add/Remove Programs.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)
Please then reboot your computer in Safe Mode by doing the following :
askey127
-----------------------------------------------------------
You have two antivirus programs on your PC at the same time. They will conflict with each other and cause system instability and/or improper AntiVirus protection. Choose to keep just one: either the Avast or Norman Antivirus, and Uninstall the other, Using Start, Control Panel, Add/Remove Programs.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally, paste the contents of the Report.txt in a reply, along with a new HijackThis log
askey127
QUOTE(askey127 @ Dec 2 2007, 06:42 PM)
mic,
-----------------------------------------------------------
You have two antivirus programs on your PC at the same time. They will conflict with each other and cause system instability and/or improper AntiVirus protection. Choose to keep just one: either the Avast or Norman Antivirus, and Uninstall the other, Using Start, Control Panel, Add/Remove Programs.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)
Please then reboot your computer in Safe Mode by doing the following :
-----------------------------------------------------------
You have two antivirus programs on your PC at the same time. They will conflict with each other and cause system instability and/or improper AntiVirus protection. Choose to keep just one: either the Avast or Norman Antivirus, and Uninstall the other, Using Start, Control Panel, Add/Remove Programs.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally, paste the contents of the Report.txt in a reply, along with a new HijackThis log
Hello,
Thanks. Now, as your typical rookie, I am stuck at part 1: I have no access to my control panel. I tried a few days ago Vilma (when I didn't know the size of my issues), and removed the DisableTaskMgr and the DisableRegistryTools in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\, but I still have no access to my control panel (and these two files come again each time I launch my computer). As I suppose that it is important to do this part before doing the rest, I was wondering whether you had an idea to get me back the control of the control panel?
You can run SDFix first if necessary.
----------------------------------------------------------
Download and Install CCleaner
- Download CCleaner from here Choose the "Slim" version.
- Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
- Click OK
- Click Next
- Click I agree
- Click Next
- Click Install
- Once the installation has finished, click Finish
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Program(s), one at a time, that you want to uninstall, and click the Run Uninstaller
QUOTE(askey127 @ Dec 2 2007, 08:59 PM)
You can run SDFix first if necessary.
----------------------------------------------------------
Download and Install CCleaner
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Program(s), one at a time, that you want to uninstall, and click the Run Uninstaller
----------------------------------------------------------
Download and Install CCleaner
- Download CCleaner from here Choose the "Slim" version.
- Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
- Click OK
- Click Next
- Click I agree
- Click Next
- Click Install
- Once the installation has finished, click Finish
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Program(s), one at a time, that you want to uninstall, and click the Run Uninstaller
Ok, here are the SDFix and HJT logs:
SDFix
SDFix: Version 1.116
Run by michael on 02.12.2007 at 21:46
Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
ntio256
Path:
\??\C:\WINDOWS\system32\ntio256.sys
ntio256 - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\3_exception.nls - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 21:54:23
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000091
"TracesSuccessful"=dword:00000006
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\FileMaker\\FileMaker Pro 6\\FileMaker Pro.exe"="C:\\Program Files\\FileMaker\\FileMaker Pro 6\\FileMaker Pro.exe:*:Enabled:FileMaker Pro"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"="C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe:*:Enabled:avast! Antivirus"
"C:\\WINDOWS\\SYSTEM32\\dlbtcoms.exe"="C:\\WINDOWS\\SYSTEM32\\dlbtcoms.exe:*:Enabled:Photo AIO Printer 922 Server"
"C:\\Program Files\\Skype\\Phone\\Skype1.exe"="C:\\Program Files\\Skype\\Phone\\Skype1.exe:*:Enabled:Skype1"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\michael\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\michael\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Fri 30 Aug 2002 94,864 ..SH. --- "C:\WINDOWS\TWAIN.DLL"
Thu 19 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Sat 25 Sep 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Fichiers communs\Adobe\ESD\DLMCleanup.exe"
Mon 26 Apr 2004 1,206 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\ccReg.reg"
Sun 7 Mar 2004 1,206 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\ccReg_old.reg"
Sun 7 Mar 2004 12,368 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\CommonClient_old.reg"
Mon 26 Apr 2004 12,368 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\CommonClient.reg"
Mon 23 Jul 2007 139,776 A..H. --- "C:\Telechargements\Anti-trojan\LinkOptCheck\LinkOptCheck\swreg.exe"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5c703fe0947475848e966b61999878d1\BIT8.tmp"
Thu 1 Sep 2005 107,008 ...H. --- "C:\Documents and Settings\michael\Mes documents\Professionnel\Travail\Licra\~WRL1114.tmp"
Tue 28 Dec 2004 41,472 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0126.tmp"
Wed 29 Dec 2004 51,712 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0177.tmp"
Tue 28 Dec 2004 35,840 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0188.tmp"
Tue 28 Dec 2004 38,912 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0304.tmp"
Wed 29 Dec 2004 51,712 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0361.tmp"
Tue 28 Dec 2004 41,984 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0362.tmp"
Wed 29 Dec 2004 45,568 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0574.tmp"
Tue 28 Dec 2004 39,424 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0976.tmp"
Tue 28 Dec 2004 37,376 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1090.tmp"
Wed 29 Dec 2004 45,056 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1115.tmp"
Wed 29 Dec 2004 52,736 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1424.tmp"
Wed 29 Dec 2004 47,104 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1541.tmp"
Wed 29 Dec 2004 44,032 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2092.tmp"
Wed 29 Dec 2004 44,544 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2093.tmp"
Wed 29 Dec 2004 50,176 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2176.tmp"
Wed 29 Dec 2004 44,544 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2513.tmp"
Wed 29 Dec 2004 45,056 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2562.tmp"
Tue 28 Dec 2004 41,984 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2733.tmp"
Tue 28 Dec 2004 39,424 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2962.tmp"
Wed 29 Dec 2004 46,080 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3002.tmp"
Tue 28 Dec 2004 36,352 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3169.tmp"
Tue 28 Dec 2004 39,424 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3595.tmp"
Tue 28 Dec 2004 38,400 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3741.tmp"
Wed 29 Dec 2004 42,496 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3794.tmp"
Wed 29 Dec 2004 43,520 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3964.tmp"
Wed 29 Dec 2004 48,128 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3985.tmp"
Tue 5 Apr 2005 24,576 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire contemporaine II\~WRL2203.tmp"
Sun 4 Feb 2007 567,296 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\Interdisciplinary Seminar on Environmental Issues - Luterbacher and Wiegandt\~WRL3610.tmp"
Sun 15 Apr 2007 42,496 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL1978.tmp"
Sun 15 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL2556.tmp"
Sun 15 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL3171.tmp"
Sun 15 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL3294.tmp"
Fri 13 Apr 2007 40,960 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL3842.tmp"
Sat 9 Apr 2005 55,296 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire diplomatique et des relations internationales\Expos‚ sur le d‚mantŠlement de l'Empire italien pendant la DeuxiŠme Guerre mondiale\~WRL0397.tmp"
Sat 9 Apr 2005 64,512 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire diplomatique et des relations internationales\Expos‚ sur le d‚mantŠlement de l'Empire italien pendant la DeuxiŠme Guerre mondiale\~WRL3525.tmp"
Fri 8 Apr 2005 30,720 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire diplomatique et des relations internationales\Expos‚ sur le d‚mantŠlement de l'Empire italien pendant la DeuxiŠme Guerre mondiale\~WRL3822.tmp"
Thu 8 Sep 2005 192,512 A..H. --- "C:\Documents and Settings\michael\Mes documents\Professionnel\Travail\Licra\LICRA CH\Charte d'Utrecht\1ere phase\Pr‚paration\~WRL0515.tmp"
Thu 8 Sep 2005 0 A..H. --- "C:\Documents and Settings\michael\Mes documents\Professionnel\Travail\Licra\LICRA CH\Charte d'Utrecht\1ere phase\Pr‚paration\~WRL0649.tmp"
Finished!
HiJackThis
Logfile of HijackThis v1.99.1
Scan saved at 22:04:59, on 02.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\timoty.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\PROGRA~1\Dell\LOGICI~1\BTSTAC~1.EXE
C:\Program Files\Highjack\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
mic,
-----------------------------------------------------------
Set Your Computer to Show All Files
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries that are present:
(Some of these lines may be missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\msanton.exe
C:\Windows\System32\timoty.exe
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
REBOOT INTO NORMAL MODE
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
A file called look.txt should appear on your Desktop. We will add additional items to it in the next step.
Also using Start->Run, copy/paste the following command into the box and press OK:
A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis.
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of look.txt from your desktop.
askey127
-----------------------------------------------------------
Set Your Computer to Show All Files
- Click Start.
- Click My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading, select Show hidden files and folders.
- Uncheck Hide protected operating system files (recommended).
- Click Yes to confirm.
- Uncheck the Hide file extensions for known file types.
- Click OK.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries that are present:
(Some of these lines may be missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\msanton.exe
C:\Windows\System32\timoty.exe
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
REBOOT INTO NORMAL MODE
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
QUOTE
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. We will add additional items to it in the next step.
Also using Start->Run, copy/paste the following command into the box and press OK:
QUOTE
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis.
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of look.txt from your desktop.
askey127
QUOTE(askey127 @ Dec 2 2007, 10:43 PM)
mic,
-----------------------------------------------------------
Set Your Computer to Show All Files
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries that are present:
(Some of these lines may be missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\msanton.exe
C:\Windows\System32\timoty.exe
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
REBOOT INTO NORMAL MODE
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
A file called look.txt should appear on your Desktop. We will add additional items to it in the next step.
Also using Start->Run, copy/paste the following command into the box and press OK:
A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis.
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of look.txt from your desktop.
askey127
-----------------------------------------------------------
Set Your Computer to Show All Files
- Click Start.
- Click My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading, select Show hidden files and folders.
- Uncheck Hide protected operating system files (recommended).
- Click Yes to confirm.
- Uncheck the Hide file extensions for known file types.
- Click OK.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries that are present:
(Some of these lines may be missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\msanton.exe
C:\Windows\System32\timoty.exe
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
REBOOT INTO NORMAL MODE
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
A file called look.txt should appear on your Desktop. We will add additional items to it in the next step.
Also using Start->Run, copy/paste the following command into the box and press OK:
A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis.
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of look.txt from your desktop.
askey127
askey127,
Okay, I could show all the files and extensions; I also could remove all entries in HJT (all were present). However, when I run your look.txt command, nothing happens (except for a brief MS-DOS-like box which opens for 1/10 of a second). I tried to search for the look.txt file, with no results. Was I supposed to replace %userprofile% with my account on my computer? If so, do I keep the "%"?
By the way, should I connect directly with my computer, or would it be safer to use another computer to connect to the internet et and post on this forum, while keeping the other (infected) computer unconnected? If so, can I transport my logs through a USB key, or could it also get infected?
Thanks for your help!
mic
My fault. The quotes didn't show up correctly.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
Also using Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.
If you don't see it, do a search for it.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
Also using Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.
If you don't see it, do a search for it.
QUOTE(askey127 @ Dec 3 2007, 10:41 AM)
My fault. The quotes didn't show up correctly.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
Also using Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.
If you don't see it, do a search for it.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
Also using Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.
If you don't see it, do a search for it.
Hello askey127!
Actually, the command you gave me is the same as the one in the previous post. I nevertheless tried your new command, but with no results (I searched it as well).
The previous one:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
The new one:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
Do I have to correct userprofile?
mic
Do searches for setings.exe and startup.exe and tell me where they are, if they show.
Notice the spelling "setings.exe"
And Post a new HJT log. You can post from the "infected" computer.
Notice the spelling "setings.exe"
And Post a new HJT log. You can post from the "infected" computer.
QUOTE(askey127 @ Dec 3 2007, 11:16 AM)
Do searches for setings.exe and startup.exe and tell me where they are, if they show.
Notice the spelling "setings.exe"
And Post a new HJT log. You can post from the "infected" computer.
Notice the spelling "setings.exe"
And Post a new HJT log. You can post from the "infected" computer.
Hello askey127,
setings.exe is located in (in case: "démarrer" and "démarrage" mean "start"):
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage
The search function also finds (when I type setings.exe):
SETINGS.EXE-00441AB6.pf (located in C:\WINDOWS\Prefetch)
backup-20071203-093116-204-setings.exe (located in C:\Program Files\Highjack\backups)
startup.exe cannot be found. The files that search finds are:
STARTUP.EXE-37ACFE15.pf (located in C:\WINDOWS\Prefetch)
backup-20071203-093136-376-startup.exe (located in C:\Program Files\Highjack\backups)
Also, the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:04:28, on 03.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Dell\Logiciel Bluetooth\btsendto_explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Highjack\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
mic,
good work so far.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage\setings.exe
C:\WINDOWS\Prefetch\SETINGS.EXE-00441AB6.pf
C:\WINDOWS\Prefetch\STARTUP.EXE-37ACFE15.pf
In case a file is shown without the location, use Find (F3) or Start, Search, enter the filename, and Delete the file, if present.
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
You do not need to delete any entries in the HiJackThis Backup folder.
-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
-----------------------------------------------------------
Download Blacklight from here:
http://www.f-secure.com/security_center/
Under "Downloads", click on Blacklight and Save it to your Desktop
or
Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.
Go to Start-->Run, copy in the following text, and press Enter:
Accept the license agreement.
Click > scan, wait for it to fimish, then click Close
There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
askey127
good work so far.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage\setings.exe
C:\WINDOWS\Prefetch\SETINGS.EXE-00441AB6.pf
C:\WINDOWS\Prefetch\STARTUP.EXE-37ACFE15.pf
In case a file is shown without the location, use Find (F3) or Start, Search, enter the filename, and Delete the file, if present.
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
You do not need to delete any entries in the HiJackThis Backup folder.
-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
- Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data. - Click on the Options block on the left. Select Advanced.
Uncheck Only delete files in Windows Temp folders older than 48 hours. - Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane. - Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
-----------------------------------------------------------
Download Blacklight from here:
http://www.f-secure.com/security_center/
Under "Downloads", click on Blacklight and Save it to your Desktop
or
Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.
Go to Start-->Run, copy in the following text, and press Enter:
QUOTE
"%userprofile%\desktop\fsbl.exe" /expert
Accept the license agreement.
Click > scan, wait for it to fimish, then click Close
There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
- Click on "Kaspersky Online Scanner"
- A new smaller window will pop up. Press on "Accept". After reading the contents.
- Now Kaspersky will update the anti-virus database. Let it run.
- Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
- Then click on "My Computer", and the scan will start.
- Once finished, save the log to your Desktop as filename KAV.txt
askey127
Hello askey127,
Thanks!
I managed to use your commands for the look.txt file! Simple issue of windows in a different language (desktop is "bureau" on my computer). I attached the log below (although it has probably no use for you now anymore).
I deleted the three files. I noticed a file called TIMOTY.EXE-09857EDC.pf in the C:\WINDOWS\Prefetch folder (I thought I might tell you that, as you told me to delete a timoty.exe file earlier). No problem with the CCleaner procedure. Blacklight didn't find anything (as far as I know). However, the KAV found a lot fo infected files. I noticed that most of the infected files were located in the "system volume information" folder, if that's of any help for you.
Also, the warning message (which was something like "Warning unauthorized spyware etc.") disappeared. Moreover, I have the feeling that the whole computer is a bit faster (i.e., less slow) now. However, I still have no control over the task manager nor control panel (although I haven't restarted my computer since).
Here are the logs:
Look.txt
c:\program files\highjack\backups\backup-20071203-093116-204-setings.exe
c:\program files\highjack\backups\backup-20071203-093136-376-startup.exe
Blacklight (fsbl-20071203161227.log)
12/03/07 16:12:27 [Info]: BlackLight Engine 1.0.67 initialized
12/03/07 16:12:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/03/07 16:12:27 [Note]: 7019 4
12/03/07 16:12:27 [Note]: 7005 0
12/03/07 16:12:31 [Note]: 7006 0
12/03/07 16:12:31 [Note]: 7022 0
12/03/07 16:12:31 [Note]: 7011 368
12/03/07 16:12:31 [Note]: 7026 0
12/03/07 16:12:32 [Note]: 7026 0
12/03/07 16:12:35 [Note]: FSRAW library version 1.7.1024
12/03/07 16:27:58 [Note]: 2000 1012
12/03/07 16:28:13 [Note]: 7007 0
KAV
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 03, 2007 6:21:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/12/2007
Kaspersky Anti-Virus database records: 471044
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 76961
Number of viruses found: 4
Number of infected objects: 149
Number of suspicious objects: 0
Duration of the scan process: 01:49:44
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\michael\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\michael\Bureau\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\michael\Bureau\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\michael\Bureau\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\michael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Historique\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Historique\History.IE5\MSHist012007120320071204\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\michael\ntuser.dat Object is locked skipped
C:\Documents and Settings\michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Highjack\backups\backup-20071203-093116-204-setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Program Files\Highjack\backups\backup-20071203-093136-376-startup.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0013885.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0013886.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0013887.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0014881.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0014882.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0014883.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015122.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015123.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015124.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015272.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015273.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015274.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015440.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015442.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015444.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015607.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015608.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015610.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0016601.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0016602.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0018913.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0018914.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0018915.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019068.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019069.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019070.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019237.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019238.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019239.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019393.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019395.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019396.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019544.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019545.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019546.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019718.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019719.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019720.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019880.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019881.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019882.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020039.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020040.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020041.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020199.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020200.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020201.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021202.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021203.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021204.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021358.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021359.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021360.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021655.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021656.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021657.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021818.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021819.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021820.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021977.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021978.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021979.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022129.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022130.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022131.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022328.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022329.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022330.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022481.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022482.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022483.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022638.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022639.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022640.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022790.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022791.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022792.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022945.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022946.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022947.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0023097.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0023098.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0023099.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023388.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023389.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023390.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023537.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023538.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023539.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023736.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023737.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023738.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023884.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023885.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023886.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023916.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023918.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023920.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024068.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024069.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024070.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024371.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024374.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024375.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024390.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024391.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024392.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\change.log Object is locked skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013420.exe Infected: Trojan-Dropper.Win32.Agent.cpt skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013426.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013427.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013428.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013433.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013435.exe Infected: Trojan-Dropper.Win32.Agent.cpt skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013438.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013439.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013440.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013441.dll Infected: Backdoor.Win32.Small.ccj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013442.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013445.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013446.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013452.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013453.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013454.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013463.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013464.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013465.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013471.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013472.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013473.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013484.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013485.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013487.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013493.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013494.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013495.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013506.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013507.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013509.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013523.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013524.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013525.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013567.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013568.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013569.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{58CE3B28-E03E-46ED-9BEE-F408247F36FD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6d8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\unp197883336.tmp Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
mic,
Looking lots better.
Go ahead and delete that file TIMOTY.EXE-09857EDC.pf in the prefetch folder
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous Restore points, including those likely to be infected, and a new Restore Point will be established..
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
If you are not prompted to reboot, do it on your own.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The Disable/Re-enable System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Reset Options in CCleaner for Regular Use.
Open CCleaner if it's not already running.
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Please post the contents of CCleaner's install.txt
If this line in your HiJackThis log implies what I think it does, please heed my initial warning about account number/password risks.
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
askey127
Looking lots better.
Go ahead and delete that file TIMOTY.EXE-09857EDC.pf in the prefetch folder
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous Restore points, including those likely to be infected, and a new Restore Point will be established..
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
If you are not prompted to reboot, do it on your own.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The Disable/Re-enable System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Reset Options in CCleaner for Regular Use.
Open CCleaner if it's not already running.
- Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. Then under Internet Explorer, Uncheck "History". In the Advanced section, have a check only on Old PreFetch Data. - Click on the Options block on the left. Select Advanced.
Check Only delete files in Windows Temp folders older than 48 hours. - Set CCleaner to Run When Computer Starts. Click on the Options block on the left, then choose Settings. Check Run CCleaner when computer starts.
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Please post the contents of CCleaner's install.txt
If this line in your HiJackThis log implies what I think it does, please heed my initial warning about account number/password risks.
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
askey127
Thanks askey127!
Small problem: I can't access the properties of My Computer (nor can I access the control panel). I tried to look around on Vilma to remove the thing, but I don't know where to look and wouldn't like to do a mistake. Can you tell me how I could access to My Computer's properties?
mic
See if you can open the dialog -
Go to Start, Run and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and CHECK "Turn Off System Restore On All Drives"
Then REBOOT
After the REBOOT, Go to Start, Run again and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and UNCHECK "Turn Off System Restore On All Drives"
Then REBOOT
Go to Start, Run and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and CHECK "Turn Off System Restore On All Drives"
Then REBOOT
After the REBOOT, Go to Start, Run again and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and UNCHECK "Turn Off System Restore On All Drives"
Then REBOOT
QUOTE(askey127 @ Dec 3 2007, 10:35 PM)
See if you can open the dialog -
Go to Start, Run and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and CHECK "Turn Off System Restore On All Drives"
Then REBOOT
After the REBOOT, Go to Start, Run again and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and UNCHECK "Turn Off System Restore On All Drives"
Then REBOOT
Go to Start, Run and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and CHECK "Turn Off System Restore On All Drives"
Then REBOOT
After the REBOOT, Go to Start, Run again and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and UNCHECK "Turn Off System Restore On All Drives"
Then REBOOT
I still get the same message telling me that this operation has been restricted.
mic,
You do have a lot of infected files saved in old System Restore Points.
Be SURE that you do NOT Restore to a previous point until we can delete those "Restore backups"
The disable/re-enable sequence we are trying to perform will erase all those infected files.
Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer and see whether you can perform the System Restore Disable/Re-enable sequence.
If that doesn't work, we have other tools at our disposal to regain your privileges.
askey127
You do have a lot of infected files saved in old System Restore Points.
Be SURE that you do NOT Restore to a previous point until we can delete those "Restore backups"
The disable/re-enable sequence we are trying to perform will erase all those infected files.
Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer and see whether you can perform the System Restore Disable/Re-enable sequence.
If that doesn't work, we have other tools at our disposal to regain your privileges.
askey127
QUOTE(askey127 @ Dec 4 2007, 11:47 AM)
mic,
You do have a lot of infected files saved in old System Restore Points.
Be SURE that you do NOT Restore to a previous point until we can delete those "Restore backups"
The disable/re-enable sequence we are trying to perform will erase all those infected files.
Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer and see whether you can perform the System Restore Disable/Re-enable sequence.
If that doesn't work, we have other tools at our disposal to regain your privileges.
askey127
You do have a lot of infected files saved in old System Restore Points.
Be SURE that you do NOT Restore to a previous point until we can delete those "Restore backups"
The disable/re-enable sequence we are trying to perform will erase all those infected files.
Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer and see whether you can perform the System Restore Disable/Re-enable sequence.
If that doesn't work, we have other tools at our disposal to regain your privileges.
askey127
Hello askey127,
Unfortunately, this doesn't work either: no right-click on My Computer and no Control Panel. However, the task manager works now. (By the way, in the later I can see a spoolsv.exe working that was identified - I think - as an infected file.)
mic
spoolsv.exe is either a legitimate Microsoft file or an infected file, depending on where it is located.
Don't do anything with it now.
First, lets do a registry backup, just in case...
------------------------------------------------------------
Backup Your Registry with ERUNT:
------------------------------------------------------------
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe
askey127
Don't do anything with it now.
First, lets do a registry backup, just in case...
------------------------------------------------------------
Backup Your Registry with ERUNT:
- Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip - Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
- Inside the new folder, double-click ERUNT.exe to start the program
- OK all the prompts to back up your registry to the default location.
------------------------------------------------------------
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe
- Double-click FixPolicies.exe.
- Click the "Install" button on the bottom toolbar of the box that will open.
- The program will create a new Folder called FixPolicies.
- Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
- A black box will briefly appear and then close.
askey127
edit: double post.
QUOTE(askey127 @ Dec 4 2007, 01:34 PM)
spoolsv.exe is either a legitimate Microsoft file or an infected file, depending on where it is located.
Don't do anything with it now.
First, lets do a registry backup, just in case...
------------------------------------------------------------
Backup Your Registry with ERUNT:
------------------------------------------------------------
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe
askey127
Don't do anything with it now.
First, lets do a registry backup, just in case...
------------------------------------------------------------
Backup Your Registry with ERUNT:
- Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip - Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
- Inside the new folder, double-click ERUNT.exe to start the program
- OK all the prompts to back up your registry to the default location.
------------------------------------------------------------
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe
- Double-click FixPolicies.exe.
- Click the "Install" button on the bottom toolbar of the box that will open.
- The program will create a new Folder called FixPolicies.
- Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
- A black box will briefly appear and then close.
askey127
Hello askey127,
Great! It works: I have regained control over the Panel Control, the My Computer preferences, etc. Feels like I have one of my legs back...
I checked and then after the reboot unchecked the Turn off system restore. Then I rebooted.
I did as you told me for the CCleaner options. I didn't run it though. Question: should I leave the "Show prompt to backup registry issues" box checked?
Here is the install.txt file, as asked:
Install.txt
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard - English, Français, Deutsch
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Download Manager 1.2 (Supprimer uniquement)
Adobe Flash Player 9 ActiveX
ALPS Touch Pad Driver
AutoUpdate
avast! Antivirus
AVG Anti-Spyware 7.5
Banana Comptabilité 4.0
BCM V.92 56K Modem
Cayman 3000 series USB Network Adapter
CCleaner (remove only)
COMODO Firewall Pro
ConnectionServices
Correctif Lecteur Windows Media 9 [Voir KB885492 pour plus d'informations]
Correctif Windows XP - KB873333
Correctif Windows XP - KB873339
Correctif Windows XP - KB885835
Correctif Windows XP - KB885836
Correctif Windows XP - KB886185
Correctif Windows XP - KB887472
Correctif Windows XP - KB888113
Correctif Windows XP - KB888302
Correctif Windows XP - KB890175
Correctif Windows XP - KB890859
Correctif Windows XP - KB891781
Correctif Windows XP - KB893086
Dell Solution Center
Dell TrueMobile 1400 Dual Band WLAN Mini-PCI Card
DivX Codec
DivX Content Uploader
DivX Player
DVDSentry
FileMaker Pro 6
FUJIFILM USB Driver
GPL MPEG-1/2 DirectShow Decoder Filter
Help and Support Customization
HijackThis 1.99.1
HP Install Network Printer Wizard
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InternetShield
InterVideo WinDVD
iPod for Windows User Guide
iPod System Software Updater 2.1
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
K-Lite Codec Pack 3.4.5 Basic
Logiciel Bluetooth Dell
Macromedia Shockwave Player
Microsoft ActiveSync 3.7
Microsoft Data Access Components KB870669
Microsoft Office Standard Edition 2003
Microsoft Works 7.0
MicroStaff WINASPI
Mise à jour de sécurité pour Lecteur Windows Media (KB911564)
Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398)
Mise à jour de sécurité pour Lecteur Windows Media 9 (KB917734)
Mise à jour de sécurité pour Lecteur Windows Media 9 (KB936782)
Mise à jour de sécurité pour Step by Step Interactive Training (KB898458)
Mise à jour de sécurité pour Step by Step Interactive Training (KB923723)
Mise à jour de sécurité pour Windows XP (KB890046)
Mise à jour de sécurité pour Windows XP (KB893066)
Mise à jour de sécurité pour Windows XP (KB893756)
Mise à jour de sécurité pour Windows XP (KB896358)
Mise à jour de sécurité pour Windows XP (KB896422)
Mise à jour de sécurité pour Windows XP (KB896423)
Mise à jour de sécurité pour Windows XP (KB896424)
Mise à jour de sécurité pour Windows XP (KB896428)
Mise à jour de sécurité pour Windows XP (KB899587)
Mise à jour de sécurité pour Windows XP (KB899588)
Mise à jour de sécurité pour Windows XP (KB899591)
Mise à jour de sécurité pour Windows XP (KB900725)
Mise à jour de sécurité pour Windows XP (KB901017)
Mise à jour de sécurité pour Windows XP (KB901190)
Mise à jour de sécurité pour Windows XP (KB901214)
Mise à jour de sécurité pour Windows XP (KB902400)
Mise à jour de sécurité pour Windows XP (KB904706)
Mise à jour de sécurité pour Windows XP (KB905414)
Mise à jour de sécurité pour Windows XP (KB905749)
Mise à jour de sécurité pour Windows XP (KB908519)
Mise à jour de sécurité pour Windows XP (KB911562)
Mise à jour de sécurité pour Windows XP (KB911927)
Mise à jour de sécurité pour Windows XP (KB913580)
Mise à jour de sécurité pour Windows XP (KB914388)
Mise à jour de sécurité pour Windows XP (KB914389)
Mise à jour de sécurité pour Windows XP (KB917344)
Mise à jour de sécurité pour Windows XP (KB917953)
Mise à jour de sécurité pour Windows XP (KB918118)
Mise à jour de sécurité pour Windows XP (KB918439)
Mise à jour de sécurité pour Windows XP (KB919007)
Mise à jour de sécurité pour Windows XP (KB920213)
Mise à jour de sécurité pour Windows XP (KB920670)
Mise à jour de sécurité pour Windows XP (KB920683)
Mise à jour de sécurité pour Windows XP (KB920685)
Mise à jour de sécurité pour Windows XP (KB921503)
Mise à jour de sécurité pour Windows XP (KB922819)
Mise à jour de sécurité pour Windows XP (KB923191)
Mise à jour de sécurité pour Windows XP (KB923414)
Mise à jour de sécurité pour Windows XP (KB923689)
Mise à jour de sécurité pour Windows XP (KB923980)
Mise à jour de sécurité pour Windows XP (KB924191)
Mise à jour de sécurité pour Windows XP (KB924270)
Mise à jour de sécurité pour Windows XP (KB924496)
Mise à jour de sécurité pour Windows XP (KB924667)
Mise à jour de sécurité pour Windows XP (KB925902)
Mise à jour de sécurité pour Windows XP (KB926255)
Mise à jour de sécurité pour Windows XP (KB926436)
Mise à jour de sécurité pour Windows XP (KB927779)
Mise à jour de sécurité pour Windows XP (KB927802)
Mise à jour de sécurité pour Windows XP (KB928255)
Mise à jour de sécurité pour Windows XP (KB928843)
Mise à jour de sécurité pour Windows XP (KB929123)
Mise à jour de sécurité pour Windows XP (KB929969)
Mise à jour de sécurité pour Windows XP (KB930178)
Mise à jour de sécurité pour Windows XP (KB931261)
Mise à jour de sécurité pour Windows XP (KB931784)
Mise à jour de sécurité pour Windows XP (KB932168)
Mise à jour de sécurité pour Windows XP (KB933566)
Mise à jour de sécurité pour Windows XP (KB933729)
Mise à jour de sécurité pour Windows XP (KB935839)
Mise à jour de sécurité pour Windows XP (KB935840)
Mise à jour de sécurité pour Windows XP (KB936021)
Mise à jour de sécurité pour Windows XP (KB937143)
Mise à jour de sécurité pour Windows XP (KB938127)
Mise à jour de sécurité pour Windows XP (KB938829)
Mise à jour de sécurité pour Windows XP (KB939653)
Mise à jour de sécurité pour Windows XP (KB941202)
Mise à jour de sécurité pour Windows XP (KB943460)
Mise à jour pour Windows XP (KB898461)
Mise à jour pour Windows XP (KB900485)
Mise à jour pour Windows XP (KB908531)
Mise à jour pour Windows XP (KB910437)
Mise à jour pour Windows XP (KB911280)
Mise à jour pour Windows XP (KB916595)
Mise à jour pour Windows XP (KB920872)
Mise à jour pour Windows XP (KB922582)
Mise à jour pour Windows XP (KB927891)
Mise à jour pour Windows XP (KB930916)
Mise à jour pour Windows XP (KB931836)
Mise à jour pour Windows XP (KB933360)
Mise à jour pour Windows XP (KB936357)
Mise à jour pour Windows XP (KB938828)
Modem Helper
Network ScanGear Ver.1.6
PDFCreator 0.8.0
Pocket Informant Pro 5.6
QuickSet
QuickTime
RealPlayer
Skype™ 3.5
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
SopCast 1.1.2
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
UBSPay
Vilma Registry Explorer
VPN Client
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows XP Service Pack 2
X264 H.264/AVC Video Codec (remove only)
mic,
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.
Ad-Aware SE Personal
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
Spybot - Search & Destroy 1.4
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Then download the latest version of Java Runtime Environment(JRE), and install it to your computer. It is the 4th one down on the page, called Java Runtime Environment (JRE) 6 Update 3
Download it, choose save, and save it to your desktop.Then doubleclick it, and it will install the newest version of Java for you to use.
-----------------------------------------------------------
Yes. But I don't recommend using the Registry Button at all - a bit dangerous.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, just HOSTS (no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Whatever list your HOSTS file has will be used by your browser. You can open the HOSTS file with Notepad and look at it.
In Windows XP, it is located in this folder ==> C:\Windows\System32\Drivers\etc\
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system.
If you are part fo a business network, if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions in the tutorial below..
Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Download BlueTack's HOSTS Manager here, using Internet Explorer:
http://www.bluetack.co.uk/forums/index.php...ails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says "Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the Hosts Switch icon).
When the manager comes up, got to the left pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a firewall, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.
------------------------------------------------------------------------------------
EXTRA INFORMATION ABOUT HOSTS FILES:
Read an excellent tutorial about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406
There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (70k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
Oh, and please post one more HiJackThis log just to check.
Let me know
askey127
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.
Ad-Aware SE Personal
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
Spybot - Search & Destroy 1.4
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Then download the latest version of Java Runtime Environment(JRE), and install it to your computer. It is the 4th one down on the page, called Java Runtime Environment (JRE) 6 Update 3
Download it, choose save, and save it to your desktop.Then doubleclick it, and it will install the newest version of Java for you to use.
-----------------------------------------------------------
QUOTE
Question: should I leave the "Show prompt to backup registry issues" box checked?
Yes. But I don't recommend using the Registry Button at all - a bit dangerous.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, just HOSTS (no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Whatever list your HOSTS file has will be used by your browser. You can open the HOSTS file with Notepad and look at it.
In Windows XP, it is located in this folder ==> C:\Windows\System32\Drivers\etc\
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system.
If you are part fo a business network, if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions in the tutorial below..
Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
QUOTE
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK
Download BlueTack's HOSTS Manager here, using Internet Explorer:
http://www.bluetack.co.uk/forums/index.php...ails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says "Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the Hosts Switch icon).
When the manager comes up, got to the left pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a firewall, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.
------------------------------------------------------------------------------------
EXTRA INFORMATION ABOUT HOSTS FILES:
Read an excellent tutorial about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406
There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (70k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
Oh, and please post one more HiJackThis log just to check.
Let me know
askey127
QUOTE(askey127 @ Dec 4 2007, 06:31 PM)
mic,
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.
Ad-Aware SE Personal
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
Spybot - Search & Destroy 1.4
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Then download the latest version of Java Runtime Environment(JRE), and install it to your computer. It is the 4th one down on the page, called Java Runtime Environment (JRE) 6 Update 3
Download it, choose save, and save it to your desktop.Then doubleclick it, and it will install the newest version of Java for you to use.
-----------------------------------------------------------
Yes. But I don't recommend using the Registry Button at all - a bit dangerous.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, just HOSTS (no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Whatever list your HOSTS file has will be used by your browser. You can open the HOSTS file with Notepad and look at it.
In Windows XP, it is located in this folder ==> C:\Windows\System32\Drivers\etc\
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system.
If you are part fo a business network, if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions in the tutorial below..
Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Download BlueTack's HOSTS Manager here, using Internet Explorer:
http://www.bluetack.co.uk/forums/index.php...ails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says "Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the Hosts Switch icon).
When the manager comes up, got to the left pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a firewall, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.
------------------------------------------------------------------------------------
EXTRA INFORMATION ABOUT HOSTS FILES:
Read an excellent tutorial about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406
There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (70k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
Oh, and please post one more HiJackThis log just to check.
Let me know
askey127
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.
Ad-Aware SE Personal
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
Spybot - Search & Destroy 1.4
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Then download the latest version of Java Runtime Environment(JRE), and install it to your computer. It is the 4th one down on the page, called Java Runtime Environment (JRE) 6 Update 3
Download it, choose save, and save it to your desktop.Then doubleclick it, and it will install the newest version of Java for you to use.
-----------------------------------------------------------
Yes. But I don't recommend using the Registry Button at all - a bit dangerous.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, just HOSTS (no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Whatever list your HOSTS file has will be used by your browser. You can open the HOSTS file with Notepad and look at it.
In Windows XP, it is located in this folder ==> C:\Windows\System32\Drivers\etc\
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system.
If you are part fo a business network, if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions in the tutorial below..
Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Download BlueTack's HOSTS Manager here, using Internet Explorer:
http://www.bluetack.co.uk/forums/index.php...ails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says "Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the Hosts Switch icon).
When the manager comes up, got to the left pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a firewall, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.
------------------------------------------------------------------------------------
EXTRA INFORMATION ABOUT HOSTS FILES:
Read an excellent tutorial about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406
There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (70k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
Oh, and please post one more HiJackThis log just to check.
Let me know
askey127
Hello askey127,
God, I sure feel safer now... I begin to think that they shouldn't sell computers to people like me without people like you first teaching us how to handle that.
I did everything as you said. As you didn't expressely tell me to reboot after having uninstalled the four programmes, I didn't do it (just in case this could have any importance). Nor did I restart after any installation (I was never asked to do that anyway).
Small issue for S&D: I perhaps mishandled the uninstallation of this programme, as the folder still exists and there are many files in it. However, the entry S&D dispeared from CCleaner.
Here is the HJT log:
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 19:18:33, on 04.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\Logiciel Bluetooth\btsendto_explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Highjack\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers
communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program
Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CCleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0
\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN
Client\vpngui.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3
\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-
00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-
9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%
\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-
9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1
\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer =
192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1
\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4
\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-
Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel
Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program
Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program
Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program
Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program
Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
mic,
Tell me if everything looks OK to you.
You did not mishandle the Uninstall of Spybot. Many programs fail to clean up after themselves.
You can highlight the Spybot folder under C:\Program Files\ and delete it if you wish.
------------------------------------------------------------------------------------------------------------------
You should consider downloading and using the newest version of the free Adobe Reader only for reading pdf files online, due to vulnerabilities in earlier versions of Reader and Acrobat.
See here about the threat : http://www.pcworld.com/article/id,128488-c...ty/article.html
You can download the Free Reader here: http://www.adobe.com/products/acrobat/readstep2.html
This will keep you from accidentally downloading a dangerous pdf file into your old version 6 Acrobat.
Of course you should keep the older, full Adobe Acrobat 6 for editing, creating pdf's etc., but I would set a new version of Reader to open pdf file types.
You can still call Adobe Acrobat 6 by using Start, All Programs
askey127
Tell me if everything looks OK to you.
You did not mishandle the Uninstall of Spybot. Many programs fail to clean up after themselves.
You can highlight the Spybot folder under C:\Program Files\ and delete it if you wish.
------------------------------------------------------------------------------------------------------------------
You should consider downloading and using the newest version of the free Adobe Reader only for reading pdf files online, due to vulnerabilities in earlier versions of Reader and Acrobat.
See here about the threat : http://www.pcworld.com/article/id,128488-c...ty/article.html
You can download the Free Reader here: http://www.adobe.com/products/acrobat/readstep2.html
This will keep you from accidentally downloading a dangerous pdf file into your old version 6 Acrobat.
Of course you should keep the older, full Adobe Acrobat 6 for editing, creating pdf's etc., but I would set a new version of Reader to open pdf file types.
You can still call Adobe Acrobat 6 by using Start, All Programs
askey127
QUOTE(askey127 @ Dec 4 2007, 09:36 PM)
mic,
Tell me if everything looks OK to you.
You did not mishandle the Uninstall of Spybot. Many programs fail to clean up after themselves.
You can highlight the Spybot folder under C:\Program Files\ and delete it if you wish.
------------------------------------------------------------------------------------------------------------------
You should consider downloading and using the newest version of the free Adobe Reader only for reading pdf files online, due to vulnerabilities in earlier versions of Reader and Acrobat.
See here about the threat : http://www.pcworld.com/article/id,128488-c...ty/article.html
You can download the Free Reader here: http://www.adobe.com/products/acrobat/readstep2.html
This will keep you from accidentally downloading a dangerous pdf file into your old version 6 Acrobat.
Of course you should keep the older, full Adobe Acrobat 6 for editing, creating pdf's etc., but I would set a new version of Reader to open pdf file types.
You can still call Adobe Acrobat 6 by using Start, All Programs
askey127
Tell me if everything looks OK to you.
You did not mishandle the Uninstall of Spybot. Many programs fail to clean up after themselves.
You can highlight the Spybot folder under C:\Program Files\ and delete it if you wish.
------------------------------------------------------------------------------------------------------------------
You should consider downloading and using the newest version of the free Adobe Reader only for reading pdf files online, due to vulnerabilities in earlier versions of Reader and Acrobat.
See here about the threat : http://www.pcworld.com/article/id,128488-c...ty/article.html
You can download the Free Reader here: http://www.adobe.com/products/acrobat/readstep2.html
This will keep you from accidentally downloading a dangerous pdf file into your old version 6 Acrobat.
Of course you should keep the older, full Adobe Acrobat 6 for editing, creating pdf's etc., but I would set a new version of Reader to open pdf file types.
You can still call Adobe Acrobat 6 by using Start, All Programs
askey127
Hello askey127,
Okay, so my problems were:
- The presence of the worm (trojan?)
- A message telling me that I could be the target of spywares (which would pop-up every 5 minutes or so)
- IE's homepage would always be google.com
- I would have no access to my control panel, task manager, etc.
I think all of these problems have now disapeared. I did a SUPERAntiSpyware scan, and it found nothing (except for your occasional cookie). That is fantastic!
I followed your advice concerning Adobe.
Now, I still have to understand exactly where I am at. If I understand correctly, you told me at the beginning that this method of removing malwares on this computer was good, but there was no guarantee that a 'backdoor' was left open for the creator of the initial malware to come back, right?
Now, do you reckon that if that is the case, would I be alerted as I was when the infection first occured? (Side question: why did the creators of the infection make this malware so 'noisy': even a non-specialist like me could see that something is not normal.)
Another question is whether you think this computer is now safe enough for me to go back on my e-mails from here (I understand that there is always a risk, but my question is whether this risk is marginal or not). Or can I relatively safely go and create an e-bay account? Or can I create a PayPal account?
Finally, what advice would you generally give me concerning the future of me and my computer.
In any case: thank you so much for your help. You probably saved me from lots of pain and issues, and you took the time to help be strengthen protections for the future. This is greatly appreciated. Now, I am not rich, but I would like to make a contribution to whatever/whoever you consider should get it (at least from the moment I can use credit cards again
). To whom should I make this contribution? CCleaner?mic
mic,
I'm sure Piriform would be happy for the support. See here : http://www.piriform.com/about
What I said about the possibility is true, and it wouldn't necessarily be "noisy", but I don't think the probability is very high at all. The odds are you're OK.
I have done what I can do based on what I can see.
There is really no practical way to check all of the (tens of ?) thousands of possibilities that could affect future security.
Good luck going forward. You have done a good job.
askey127
I'm sure Piriform would be happy for the support. See here : http://www.piriform.com/about
What I said about the possibility is true, and it wouldn't necessarily be "noisy", but I don't think the probability is very high at all. The odds are you're OK.
I have done what I can do based on what I can see.
There is really no practical way to check all of the (tens of ?) thousands of possibilities that could affect future security.
Good luck going forward. You have done a good job.
askey127
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.