Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack Log, Messase Stating Registry Error


  • This topic is locked This topic is locked
13 replies to this topic

#1 ray260

ray260

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 03 May 2007 - 09:07 AM

Heres my log also getting message asking if I want to debug


Logfile of HijackThis v1.99.1
Scan saved at 11:22:15, on 2007-05-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Usager\Local Settings\Temp\Répertoire temporaire 2 pour HijackThis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=fr-ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16....es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E72B5FF-1896-41A9-9F16-24A2AB6A027D}: NameServer = 66.158.128.11 66.158.128.131
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E72B5FF-1896-41A9-9F16-24A2AB6A027D}: NameServer = 66.158.128.11 66.158.128.131
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.000\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.000\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 03 May 2007 - 12:45 PM

Hello Ray and Welcome to TomCoyote,

Please do the following:

STEP 1.
======
Please download AVG Anti-Spyware from HERE
and save that file to your
desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen
    • select the icon "Update"
    • then select the "Update now" link.
    • Next select the "Start Update" button,
    the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of
    the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then
    select ""Quarantine".".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found
    "
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting
    your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or
    programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab
    then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all
    actions
    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the
    screen and save it to a text file on your system (make sure to remember where
    you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
STEP 2.
======
Deckard’s System Scanner

Download <a href="http://www.techsuppo...eckard/dss.exe" target="_blank">
Deckard's System Scanner (DSS)</a> to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Please post(reply) with the logs from the AVG anti-spyware and the Deckard’s System Scanner.

Edited by Susan528, 03 May 2007 - 12:46 PM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 ray260

ray260

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 03 May 2007 - 05:39 PM

I did the scans and a couple of nasties showed up. I had not thought of scaning in safe mode. here are the logs. Thanks for your help.

Deckard's System Scanner v20070426.43
Run by Usager on 2007-05-03 at 17:56:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2007-05-03 20:57:09 UTC - RP7 - Deckard's System Scanner Restore Point
6: 2007-05-03 19:17:23 UTC - RP6 - Installed ANIWZCS2 Service
5: 2007-05-03 19:16:29 UTC - RP5 - Installed ANIO Service
4: 2007-05-03 19:14:23 UTC - RP4 - Installé AirPlus G
3: 2007-05-02 16:17:13 UTC - RP3 - Opération de restauration


-- First Restore Point --
1: 2007-05-01 20:21:59 UTC - RP1 - Point de vérification système


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Usager.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:07:27, on 2007-05-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\Usager\Bureau\dss.exe
E:\HIJACK~1\Usager.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=fr-ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16....es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.000\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.000\
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


-- HijackThis Fixed Entries (E:\HIJACK~1\backups\) -----------------------------

backup-20051002-112422-321 O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
backup-20051002-112422-541 O4 - HKLM\..\Run: [ms-update] scvhost.exe
backup-20051002-112422-561 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS.000\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS.000\SYSTEM32\SHELL32.DLL,2
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL %1,%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*
.hlp - hlpfile - DefaultIcon - C:\WINDOWS.000\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS.000\System32\migicons.exe,8
.reg - regfile - DefaultIcon - C:\WINDOWS.000\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS.000\System32\migicons.exe,7


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - c:\windows.000\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>


-- Scheduled Tasks -------------------------------------------------------------

2007-05-03 16:38:04 266 --ah----- C:\WINDOWS.000\Tasks\Rappel d'expiration de la désinstallation.job


-- Files created between 2007-04-03 and 2007-05-03 -----------------------------

2007-05-03 16:17:31 143360 --a------ C:\WINDOWS.000\System32\WlanApp.dll <Not Verified; Alpha Networks Inc.; WlanApp Dynamic Link Library>
2007-05-03 16:17:31 221184 --a------ C:\WINDOWS.000\System32\wlanapi.dll <Not Verified; Alpha Networks Inc.; WLANAPI Dynamic Link Library>
2007-05-03 16:17:30 1323095 --a------ C:\WINDOWS.000\System32\odSupp_M.dll <Not Verified; Funk Software, Inc.; Odyssey Supplicant Toolkit>
2007-05-03 16:17:29 49152 --a------ C:\WINDOWS.000\System32\AQCKGen.dll <Not Verified; Alpha Networks Inc.; AQuickKey Generator>
2007-05-03 16:17:29 368640 --a------ C:\WINDOWS.000\System32\ANIWZCS2.dll <Not Verified; Alpha Networks Inc.; ANIWZCS Dynamic Link Library>
2007-05-03 16:17:29 212992 --a------ C:\WINDOWS.000\System32\aIPH.dll <Not Verified; Alpha Networks Inc.; IPH Dynamic Link Library>
2007-05-03 16:17:28 57407 --a------ C:\WINDOWS.000\System32\ANICtl.dll <Not Verified; Alpha Networks Inc.; DevCtrl Dynamic Link Library>
2007-05-03 16:16:37 28205 --a------ C:\WINDOWS.000\System32\ANIO.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
2007-05-03 16:16:36 11904 --a------ C:\WINDOWS.000\System32\anio4.sys <Not Verified; ANI; ANIO (NDIS4) Driver>
2007-05-03 16:16:35 36864 --a------ C:\WINDOWS.000\System32\ANIOApi.dll <Not Verified; Alpha Networks Inc.; ANIO Helper DLL API library>
2007-05-03 16:16:32 0 d-------- C:\Program Files\ANI
2007-05-02 13:28:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-05-02 13:28:41 0 d-------- C:\Documents and Settings\Usager\Application Data\MSN6
2007-05-01 14:42:16 0 d-------- C:\Documents and Settings\Usager\.housecall6.6
2007-05-01 12:24:02 0 d-------- C:\Program Files\D-Link
2007-05-01 12:23:00 0 d-------- C:\Program Files\Fichiers communs\InstallShield
2007-04-27 14:07:13 0 d--h----- C:\WINDOWS.000\System32\GroupPolicy
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression
2007-04-27 11:39:30 0 dr-h----- C:\Documents and Settings\Administrateur\SendTo
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Recent
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Modèles
2007-04-27 11:39:30 0 d-------- C:\Documents and Settings\Administrateur\Mes documents
2007-04-27 11:39:30 0 dr------- C:\Documents and Settings\Administrateur\Menu Démarrer
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Local Settings
2007-04-27 11:39:30 0 d-------- C:\Documents and Settings\Administrateur\Favoris
2007-04-27 11:39:30 0 d---s---- C:\Documents and Settings\Administrateur\Cookies
2007-04-27 11:39:30 0 d-------- C:\Documents and Settings\Administrateur\Bureau
2007-04-27 11:39:30 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data
2007-04-27 11:39:30 0 d---s---- C:\Documents and Settings\Administrateur\Application Data\Microsoft
2007-04-27 11:39:29 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage réseau
2007-04-27 11:39:28 1572864 --ah----- C:\Documents and Settings\Administrateur\ntuser.dat
2007-04-23 18:36:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-04-18 08:36:43 0 --ahs---- C:\WINDOWS.000\System32\.exe
2007-04-13 22:26:49 0 d-------- C:\1c9452883093c1f7f8bd8448fb
2007-04-13 20:35:09 25600 --a------ C:\WINDOWS.000\System32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-13 20:35:09 0 d--h---c- C:\WINDOWS.000\$xpsp1hfm$


-- Find3M Report ---------------------------------------------------------------

2007-05-03 17:52:21 0 d-------- C:\Program Files\Symantec AntiVirus
2007-05-03 16:18:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-02 13:43:40 0 d-------- C:\Program Files\Fichiers communs\SERVICES
2007-05-01 12:23:00 0 d-a------ C:\Program Files\Fichiers communs
2007-03-14 23:42:07 0 d--h----- C:\Program Files\WindowsUpdate
2007-03-14 23:32:29 0 d-------- C:\Documents and Settings\Usager\Application Data\RegUpdate
2007-03-13 17:40:50 0 d-------- C:\Program Files\Microsoft.NET
2007-03-13 17:37:16 0 d-------- C:\Program Files\Fichiers communs\DESIGNER
2007-03-13 17:37:00 0 d-------- C:\Program Files\Microsoft Works
2007-03-13 17:08:16 0 d-------- C:\Program Files\Symantec
2007-03-13 14:36:28 361378 --ah----- C:\WINDOWS.000\System32\perfh00C.dat
2007-03-13 14:36:28 46064 --ah----- C:\WINDOWS.000\System32\perfc00C.dat
2007-03-13 14:19:22 0 d-------- C:\Program Files\microsoft frontpage
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Symantec
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Spybot - Search & Destroy
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Registry Cleaner
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\MSNInstaller
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Macromedia
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\InterTrust
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Adobe
2007-03-13 14:11:24 0 d-------- C:\Documents and Settings\Usager\Application Data\Identities
2007-03-13 14:10:44 248832 --ah----- C:\WINDOWS.000\System32\migicons.exe <Not Verified; Microsoft Corporation; Système d'exploitation Microsoft® Windows®>
2007-03-13 14:02:20 0 d-------- C:\Program Files\Movie Maker
2007-03-13 14:01:14 0 d-------- C:\Program Files\Fichiers communs\MSSoap
2007-03-13 13:59:02 21892 --ah----- C:\WINDOWS.000\System32\emptyregdb.dat
2007-03-13 13:57:30 0 d-------- C:\Program Files\Messenger
2007-03-13 13:57:16 0 d-------- C:\Program Files\MSN Gaming Zone
2007-03-13 13:56:54 0 d-------- C:\Program Files\Windows NT
2007-03-13 13:44:18 0 d-------- C:\Program Files\Fichiers communs\SpeechEngines
2007-03-13 13:43:30 62 --ahs---- C:\Documents and Settings\Usager\Application Data\desktop.ini
2007-03-06 11:43:32 462589 --ah----- C:\WINDOWS.000\ShellIconCache
2007-03-06 11:38:48 518 --a------ C:\AUTOEXEC.BAT
2007-03-02 18:29:14 158 --a------ C:\CONFIG.SYS
2007-03-02 18:16:42 14215 --ah----- C:\WINDOWS.000\ttfCache


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS.000\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoFileMenu"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoFileMenu"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"BayMgr"="DockApp.exe"
"IrMon"="IrMon.exe"
"QuickTime Task"="\"C:\\WINDOWS.000\\SYSTEM32\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Symantec Core LC"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\CCPD-LC\\symlcsvc.exe\" start"
"ccApp"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"KB891711"="C:\\WINDOWS.000\\SYSTEM\\KB891711\\KB891711.EXE"
"KB918547"="C:\\WINDOWS.000\\SYSTEM\\KB918547\\KB918547.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\johnj315]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="johnj315"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Usager\\3.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSMSGS"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvccc66]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msvccc66"
"hkey"="HKLM"
"command"="svcchosst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SystemTray"
"hkey"="HKLM"
"command"="SysTray.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vptray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\



-- End of Deckard's System Scanner: finished at 2007-05-03 at 18:08:49 ---------


Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professionnel (build 2600)
Architecture: X86; Language: French

CPU 0: Processeur Intel Pentium II
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 127.48 MiB / 18.55 MiB
Pagefile Memory (total/avail): 307.04 MiB / 111.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1975.02 MiB

C: is Fixed (NTFS) - 11.1 GiB total, 7.73 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Usager\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Fichiers communs
COMPUTERNAME=DELL
ComSpec=C:\WINDOWS.000\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Usager
LOGONSERVER=\\DELL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS.000\system32;C:\WINDOWS.000;C:\WINDOWS.000\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=060a
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS.000
TEMP=C:\DOCUME~1\Usager\LOCALS~1\Temp
TMP=C:\DOCUME~1\Usager\LOCALS~1\Temp
USERDOMAIN=DELL
USERNAME=Usager
USERPROFILE=C:\Documents and Settings\Usager
winbootdir=C:\WINDOWS.000
windir=C:\WINDOWS.000


-- User Profiles ---------------------------------------------------------------

Usager (admin)
Administrateur (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS.000\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS.000\ISUN040C.EXE -f"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\98\Uninst.isu" -c"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\98\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS.000\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AirPlus G --> C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025} /l1036
ANIO Service --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
AnswerWorks Runtime --> C:\WINDOWS.000\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Correctif Windows XP - KB842773 --> C:\WINDOWS.000\$NtUninstallKB842773$\spuninst\spuninst.exe
HijackThis 1.99.1 --> E:\HIJACK~1\HijackThis.exe /uninstall
hp psc 700 series --> "C:\Program Files\Hewlett-Packard\hp psc 700 series\Uninstall\hpourn07.exe" /Path="C:\Program Files\Hewlett-Packard\hp psc 700 series" /Uninstall="hp psc 700 series"
Internet Explorer Q916281 --> C:\WINDOWS.000\ieuninst.exe C:\WINDOWS.000\INF\Q916281.inf
IS Scan --> C:\WINDOWS.000\uninst.exe -fC:\Bjscan\DeIsL1.isu
Latitude Dock Quick Install for Windows 9x --> C:\WINDOWS.000\IsUninst.exe -f"C:\WINDOWS.000\Quick Install\Uninst.isu"
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{9011040C-6000-11D3-8CFE-0150048383C9}
Microsoft VGX Q833989 --> C:\WINDOWS.000\vgxuninst.exe C:\WINDOWS.000\INF\Q833989.inf
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Outlook Express Q837009 --> C:\WINDOWS.000\oeuninst.exe C:\WINDOWS.000\INF\Q837009.inf
Package du correctif Windows XP [voir Q329115 pour plus de détails] --> C:\WINDOWS.000\$NtUninstallQ329115$\spuninst\spuninst.exe
Softex BayManager --> C:\WINDOWS.000\IsUn040c.exe -f"C:\Program Files\Softex\BayManager\Win98\Uninst.isu" -c"C:\Program Files\Softex\BayManager\Win98\Uninstal.dll
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Symantec Technical Support Web Controls --> MsiExec.exe /X{5FCDE341-328B-434B-9F21-AF5BADB57852}
Synaptics TouchPad --> C:\WINDOWS.000\uninst.exe -f"C:\Program Files\Synaptics\DeIsL1.isu" -c"C:\Program Files\Synaptics\SynTP\SynISDLL.dll
Xircom Ethernet + Modem 56 --> APUNINST.EXE C:\XIRCOM\CBEM\APUNINST.UNI


-- End of Deckard's System Scanner: finished at 2007-05-03 at 18:08:49 ---------



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:41:20 2007-05-03

+ Scan result:



C:\Documents and Settings\Usager\Local Settings\Temp\rcuninst.exe -> Adware.ManReg : Ignored.
C:\Documents and Settings\Usager\Mes documents\BRASSERIE St-Antoine-Abbé\setup_rcxp.exe -> Adware.ManReg : Ignored.
C:\Documents and Settings\Usager\Mes documents\setup_rcxp.exe -> Adware.ManReg : Ignored.
C:\WINDOWS.000\SYSTEM32\svcchosst.exe -> Backdoor.SdBot.bhl : Cleaned with backup (quarantined).
C:\Documents and Settings\Usager\3.exe -> Proxy.Slaper.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Usager\Cookies\usager@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@dealtime[3].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@feedback.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@fr.ca.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@ie.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@search.msn[4].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@search.msn[5].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@ssl-hints.netflame[3].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@m.webtrends[3].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Usager\Cookies\usager@m.webtrends[4].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 May 2007 - 09:38 AM

I was curious as to why you decided to ignore these items.
C:\Documents and Settings\Usager\Local Settings\Temp\rcuninst.exe ->Adware.ManReg : Ignored.
C:\Documents and Settings\Usager\Mes documents\BRASSERIE St-Antoine-Abbé\setup_rcxp.exe -> Adware.ManReg : Ignored.
C:\Documents and Settings\Usager\Mes documents\setup_rcxp.exe -> Adware.ManReg : Ignored.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

Click on Fix Checked when finished and exit HijackThis.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Posted Image

______________________________
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

Posted Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt
A new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 ray260

ray260

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 04 May 2007 - 10:11 AM

Thanks Susan for your help. The items you asked about were marked ignore so I did. Running in safe mode reduced the screen size. Should I rescan and remove them? here are the logs.
Ray

Logfile of HijackThis v1.99.1
Scan saved at 13:06:26, on 2007-05-04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS.000\system32\NOTEPAD.EXE
C:\Documents and Settings\Usager\Bureau\crack\HiJackThis_v2.exe
C:\WINDOWS.000\system32\NOTEPAD.EXE
E:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=fr-ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16....es/MsnPUpld.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.000\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.000\
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe




SmitFraudFix v2.174

Rapport fait à 12:53:06,80, 2007-05-04
Executé à partir de C:\Documents and Settings\Usager\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS.000\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS.000


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS.000\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS.000\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS.000\system32

C:\WINDOWS.000\system32\migicons.exe PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usager


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usager\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Usager\Favoris


»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 May 2007 - 12:19 PM

I would have removed the items by AVG anti-spy or at least quarantined them unless you know of a reason to keep them.

The Smitfraud fix requires AVG anti-spyware to be run. I once asked a developer of a tool if AVG-antispyware needed to be run again if it had been run previously. He replied that yes so I understand that the sequence may be important. So please run the AVG anti-spyware again. Although nothing may change, I feel better doing it in the sequence the developer of the tool specified.

Clean

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Posted Image

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-spyware, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If AVG Anti-spyware finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close AVG Anti-spyware and Reboot in Normal Mode.
______________________________

Please post:
  • c:\rapport.txt
  • AVG Anti-spyware log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 ray260

ray260

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 04 May 2007 - 05:50 PM

Hi, I inadverdantly started AVG before the other scan. I stopped it but only after it had found the items mentioned before. I can't see the whole window because my screen is shrunk on the laptop during safe-mode. They were deleted or quaranteened. On followiing your advice and running the avg after the other scan I notice that it detected the same bad boys as the last scan, Hope this helps, thanks again. Ray


SmitFraudFix v2.174

Rapport fait à 19:11:23,02, 2007-05-04
Executé à partir de C:\Documents and Settings\Usager\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

C:\WINDOWS.000\system32\migicons.exe supprimé

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:21:04 2007-05-04

+ Scan result:



C:\System Volume Information\_restore{9BC21085-91E1-4903-99F7-1371F34FCF37}\RP7\A0000085.exe -> Adware.ManReg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9BC21085-91E1-4903-99F7-1371F34FCF37}\RP6\A0000062.exe -> Backdoor.SdBot.bhl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9BC21085-91E1-4903-99F7-1371F34FCF37}\RP6\A0000061.exe -> Proxy.Slaper.e : Cleaned with backup (quarantined).


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 20:24:11, on 2007-05-04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\explorer.exe
C:\WINDOWS.000\System32\taskmgr.exe
E:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.000\System32\CTFMON.EXE
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16....es/MsnPUpld.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.000\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.000\
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 May 2007 - 08:20 PM

You got rid of that file if supprime translates as deleted.
C:\WINDOWS.000\system32\migicons.exe supprimé

Run HijackThis . Place a check against each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Click on Fix Checked when finished and exit HijackThis.

It appears that you are relying on the Windows firewall because I do not see a firewall application installed. Perhaps you have a hardware firewall but a combination of both a software firewall and a hardware firewall is better. Just be sure there are no conflicts. Please do not rely solely on the Windows XP firewall. Using a software firewall other than the XP firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
Test your Firewall - Please test your firewall and make sure it is working properly.
Test Firewall

Also you need to go to the Microsoft site and install Windows Updates. If you need to validate Windows, you can use the link but be sure to use Internet Explorer.
http://www.microsoft.com/genuine/diag/

It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you do not still have Deckard’s System Scanner on your desktop ,download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Go to start =>run => copy the following bold text into the box and click OK
    ”%userprofile%\desktop\dss.exe” /config
    A pop-up box will appear, please check the Extra log and the Security Center and click the Scan button.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 ray260

ray260

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 05 May 2007 - 09:58 AM

Hi Susan, a couple of problems, there was only one of the two entry's to remove 'R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm'.
The other one was not there.
I tried to run DSS as per your instuctions but kept getting an error message stating "can't find C:\Documents check your spelling"
I went and ran the DSS by itself but it only generated the main.txt report. here it is.
I'll have to drive to an area with high speed to download the window updates and firewall. My area, only 15 miles from a city of 3 million only has dial-up.Top speed 28.8 Kbs. It's no big deal to go and find a free wi-fi site.
Yes suprime is deleted.


Deckard's System Scanner v20070426.43
Run by Usager on 2007-05-05 at 12:40:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Usager.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:40:20, on 2007-05-05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\Usager\Bureau\dss.exe
C:\DOCUME~1\Usager\Bureau\HIJACK~1\Usager.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=fr-ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16....es/MsnPUpld.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.000\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.000\
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


-- Files created between 2007-04-05 and 2007-05-05 -----------------------------

2007-05-04 12:53:13 1584 --a------ C:\WINDOWS.000\System32\tmp.reg
2007-05-03 16:17:31 143360 --a------ C:\WINDOWS.000\System32\WlanApp.dll <Not Verified; Alpha Networks Inc.; WlanApp Dynamic Link Library>
2007-05-03 16:17:31 221184 --a------ C:\WINDOWS.000\System32\wlanapi.dll <Not Verified; Alpha Networks Inc.; WLANAPI Dynamic Link Library>
2007-05-03 16:17:30 1323095 --a------ C:\WINDOWS.000\System32\odSupp_M.dll <Not Verified; Funk Software, Inc.; Odyssey Supplicant Toolkit>
2007-05-03 16:17:29 49152 --a------ C:\WINDOWS.000\System32\AQCKGen.dll <Not Verified; Alpha Networks Inc.; AQuickKey Generator>
2007-05-03 16:17:29 368640 --a------ C:\WINDOWS.000\System32\ANIWZCS2.dll <Not Verified; Alpha Networks Inc.; ANIWZCS Dynamic Link Library>
2007-05-03 16:17:29 212992 --a------ C:\WINDOWS.000\System32\aIPH.dll <Not Verified; Alpha Networks Inc.; IPH Dynamic Link Library>
2007-05-03 16:17:28 57407 --a------ C:\WINDOWS.000\System32\ANICtl.dll <Not Verified; Alpha Networks Inc.; DevCtrl Dynamic Link Library>
2007-05-03 16:16:37 28205 --a------ C:\WINDOWS.000\System32\ANIO.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
2007-05-03 16:16:36 11904 --a------ C:\WINDOWS.000\System32\anio4.sys <Not Verified; ANI; ANIO (NDIS4) Driver>
2007-05-03 16:16:35 36864 --a------ C:\WINDOWS.000\System32\ANIOApi.dll <Not Verified; Alpha Networks Inc.; ANIO Helper DLL API library>
2007-05-03 16:16:32 0 d-------- C:\Program Files\ANI
2007-05-02 13:28:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-05-02 13:28:41 0 d-------- C:\Documents and Settings\Usager\Application Data\MSN6
2007-05-01 14:42:16 0 d-------- C:\Documents and Settings\Usager\.housecall6.6
2007-05-01 12:24:02 0 d-------- C:\Program Files\D-Link
2007-05-01 12:23:00 0 d-------- C:\Program Files\Fichiers communs\InstallShield
2007-04-27 14:07:13 0 d--h----- C:\WINDOWS.000\System32\GroupPolicy
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage d'impression
2007-04-27 11:39:30 0 dr-h----- C:\Documents and Settings\Administrateur\SendTo
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Recent
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Modèles
2007-04-27 11:39:30 0 d-------- C:\Documents and Settings\Administrateur\Mes documents
2007-04-27 11:39:30 0 dr------- C:\Documents and Settings\Administrateur\Menu Démarrer
2007-04-27 11:39:30 0 d--h----- C:\Documents and Settings\Administrateur\Local Settings
2007-04-27 11:39:30 0 d-------- C:\Documents and Settings\Administrateur\Favoris
2007-04-27 11:39:30 0 d---s---- C:\Documents and Settings\Administrateur\Cookies
2007-04-27 11:39:30 0 d-------- C:\Documents and Settings\Administrateur\Bureau
2007-04-27 11:39:30 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data
2007-04-27 11:39:30 0 d---s---- C:\Documents and Settings\Administrateur\Application Data\Microsoft
2007-04-27 11:39:29 0 d--h----- C:\Documents and Settings\Administrateur\Voisinage réseau
2007-04-27 11:39:28 1572864 --ah----- C:\Documents and Settings\Administrateur\ntuser.dat
2007-04-23 18:36:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-04-18 08:36:43 0 --ahs---- C:\WINDOWS.000\System32\.exe
2007-04-13 22:26:49 0 d-------- C:\1c9452883093c1f7f8bd8448fb
2007-04-13 20:35:09 25600 --a------ C:\WINDOWS.000\System32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-13 20:35:09 0 d--h---c- C:\WINDOWS.000\$xpsp1hfm$


-- Find3M Report ---------------------------------------------------------------

2007-05-05 12:11:59 0 d-------- C:\Program Files\Symantec AntiVirus
2007-05-03 16:18:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-02 13:43:40 0 d-------- C:\Program Files\Fichiers communs\SERVICES
2007-05-01 12:23:00 0 d-a------ C:\Program Files\Fichiers communs
2007-03-14 23:42:07 0 d--h----- C:\Program Files\WindowsUpdate
2007-03-14 23:32:29 0 d-------- C:\Documents and Settings\Usager\Application Data\RegUpdate
2007-03-13 17:40:50 0 d-------- C:\Program Files\Microsoft.NET
2007-03-13 17:37:16 0 d-------- C:\Program Files\Fichiers communs\DESIGNER
2007-03-13 17:37:00 0 d-------- C:\Program Files\Microsoft Works
2007-03-13 17:08:16 0 d-------- C:\Program Files\Symantec
2007-03-13 14:36:28 361378 --ah----- C:\WINDOWS.000\System32\perfh00C.dat
2007-03-13 14:36:28 46064 --ah----- C:\WINDOWS.000\System32\perfc00C.dat
2007-03-13 14:19:22 0 d-------- C:\Program Files\microsoft frontpage
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Symantec
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Spybot - Search & Destroy
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Registry Cleaner
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\MSNInstaller
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Macromedia
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\InterTrust
2007-03-13 14:11:26 0 d-------- C:\Documents and Settings\Usager\Application Data\Adobe
2007-03-13 14:11:24 0 d-------- C:\Documents and Settings\Usager\Application Data\Identities
2007-03-13 14:02:20 0 d-------- C:\Program Files\Movie Maker
2007-03-13 14:01:14 0 d-------- C:\Program Files\Fichiers communs\MSSoap
2007-03-13 13:59:02 21892 --ah----- C:\WINDOWS.000\System32\emptyregdb.dat
2007-03-13 13:57:30 0 d-------- C:\Program Files\Messenger
2007-03-13 13:57:16 0 d-------- C:\Program Files\MSN Gaming Zone
2007-03-13 13:56:54 0 d-------- C:\Program Files\Windows NT
2007-03-13 13:44:18 0 d-------- C:\Program Files\Fichiers communs\SpeechEngines
2007-03-13 13:43:30 62 --ahs---- C:\Documents and Settings\Usager\Application Data\desktop.ini
2007-03-06 11:43:32 462589 --ah----- C:\WINDOWS.000\ShellIconCache
2007-03-06 11:38:48 518 --a------ C:\AUTOEXEC.BAT
2007-03-02 18:29:14 158 --a------ C:\CONFIG.SYS
2007-03-02 18:16:42 14215 --ah----- C:\WINDOWS.000\ttfCache


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS.000\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoFileMenu"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoFileMenu"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"BayMgr"="DockApp.exe"
"IrMon"="IrMon.exe"
"QuickTime Task"="\"C:\\WINDOWS.000\\SYSTEM32\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Symantec Core LC"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\CCPD-LC\\symlcsvc.exe\" start"
"ccApp"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"KB891711"="C:\\WINDOWS.000\\SYSTEM\\KB891711\\KB891711.EXE"
"KB918547"="C:\\WINDOWS.000\\SYSTEM\\KB918547\\KB918547.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\johnj315]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="johnj315"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Usager\\3.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSMSGS"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvccc66]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msvccc66"
"hkey"="HKLM"
"command"="svcchosst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SystemTray"
"hkey"="HKLM"
"command"="SysTray.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vptray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\



-- End of Deckard's System Scanner: finished at 2007-05-05 at 12:41:26 ---------

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 06 May 2007 - 08:28 AM

http://support.microsoft.com/kb/142545

Windows Setup searches your hard disk for a valid Windows folder to upgrade. If Setup finds a Windows folder with missing or damaged files, it defaults to installing Windows in the Windows.000 or Windows98.000 folder.

Both Windows 95 and Windows 98 Setup increment the number for the folder if a previous install created a .000 file (001, 002, and so on).


I am guessing you had Windows 98 and upgraded it because the ttfcache file is a Windows 98 file relating to fonts and you have it present on your system.

I am wondering if you will be able to actually install Windows Updates with the present condition of your system if the Windows folder has missing or damaged files, If you are not able to install Windows Updates, it is only a matter or time before you become infected again.

"If you are running an illegal copy of Windows, you have an option to pay for it and make it good, uninstall and go to a free version of Linux, or just deal with all the insecurities and problems you now have, TC does not support the use of illegal software". Tom Coyote Wilson
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#11 ray260

ray260

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 06 May 2007 - 10:45 AM

I want to thank you for all your help. I am actually helping a friend with this. Yes he did upgrade from Win98. Had sent it to a tech because of spyware and it came back with XP. How to tell if it's an illigal copy? He's had nothing but misery scince the 'UP'grade and the tech has disapeared. By the way, my wife says to ask you if your married, cause we have a friend in Louisiana who's looking for somebody of quality and she thinks you qualify. You have been very helpfull and informative at the same time. PS when it was on, Windows update did work, I only disabled it because of 28.8 kbs speed on the internet. I going to go to a high speed area to keep the updates working but now , with the bad file comment, I wonder if I should. Is it possible that it's a legit XP that is installed incorectedly? Either way, it's people like you that help to make all this worthwhile. Thank you. Ray

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 06 May 2007 - 04:27 PM

http://www.microsoft...ws/default.mspx

You can go to the above link and check.

Did the tech give your friend any Window cds? Did he give you any Window XP booklets?

By the way, my wife says to ask you if your married, cause we have a friend in Louisiana who's looking for somebody of quality and she thinks you qualify. You have been very helpfull and informative at the same time.


You are very kind but I am happily married to an Okie from Muskogee and have been married since 1978.

I volunteered for organization which had purchased built computer from local computer business and it had pirated Windows XP on it. We were given no cds, no booklet and also there was not COA sticker on it. I co-operated with Microsoft and was told what to ask for but the person would never deliver. I hated to see organization ripped off by dishonest business. It became infected and I would try to install the updates but the updates would never install.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 08 May 2007 - 10:32 AM

I obtained this information. The Product Key is required for input for the installation.

The computer owner should have been given the installation CD, the
Product Key, and the Certificate of Authenticity. Sometimes the Product
Key is printed on the Certificate. There is no booklet, anymore.


Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 24 May 2007 - 06:17 AM

Because no reply was made. This topic is now closed. If you wish it reopened, please send us an email
(Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.


Also follow the recommendations in Tony Klein's article
So how did I get infected in the first place?
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users