Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] hi computer slows down and I receive kind of trap-aler


  • This topic is locked This topic is locked
10 replies to this topic

#1 syl20

syl20

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 09 November 2007 - 06:06 AM

Hi,since one week ago i happen to receive some message in my quick start bar telling I'm infected either by trojan-spy@mx 32 or Networm-i.virus@fp.Also he invites me to d/l an special spyware.I don't really trust this message and think it may be a trap. The icon which appears in the quick start bar is a yellow triangular sign with a black "!" .
Here's my hijack info.
Hope you can help me understanding it.
Thank you


Bye Sylvain

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:25, on 09/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sylvain\Bureau\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.neuf.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\uvotkcuq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: Antivirus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c0093073.dat
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\hkyixdeo.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4449 bytes

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2007 - 05:57 AM

Hello and welcome to the forums

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 syl20

syl20

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 November 2007 - 03:39 PM

Hi LD tate thank you for your instant answer.
Here you'll find both logs.The combofix log titles are in french.
have a nice week
Sylvain

ComboFix 07-11-08.1 - Sylvain 2007-11-11 22:12:41.1 - NTFSx86
Running from: C:\Documents and Settings\Sylvain\Bureau\ComboFix.exe
* Created a new restore point
.

Incapable d'obtenir les privilèges Système

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk
C:\Documents and Settings\Sylvain\Bureau\Live Safety Center.lnk
C:\Documents and Settings\Sylvain\Bureau\Online Security Guide.lnk
C:\Documents and Settings\Sylvain\Favoris\Online Security Guide.lnk
C:\WINDOWS\system32\hgjjl.bak1
C:\WINDOWS\system32\hgjjl.bak2
C:\WINDOWS\system32\hgjjl.ini
C:\WINDOWS\system32\hgjjl.ini2
C:\WINDOWS\system32\hgjjl.tmp
C:\WINDOWS\system32\ljjgh.dll
C:\WINDOWS\system32\qknovhnf.dll
C:\WINDOWS\system32\qohlrdft.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))))))))
.

2007-11-11 22:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 17:32 71,232 --a------ C:\WINDOWS\system32\tjliwxxs.exe
2007-11-09 21:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-09 20:49 <REP> d-------- C:\Program Files\eMule
2007-11-09 14:40 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\Talkback
2007-11-09 14:39 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-07 11:37 86,080 --a------ C:\WINDOWS\system32\vuabbprm.dll
2007-11-07 11:34 79,936 --a------ C:\WINDOWS\system32\ogbfrssq.dll
2007-11-07 11:30 71,232 --a------ C:\WINDOWS\system32\aquxvyhj.exe
2007-11-07 11:29 145,984 --a------ C:\WINDOWS\system32\ayjmvdrj.dll
2007-11-04 12:16 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\vlc
2007-11-04 12:13 <REP> d-------- C:\Program Files\VideoLAN
2007-11-03 18:01 123 --a------ C:\WINDOWS\system32\oghiysc.bat
2007-11-03 13:41 154,624 --a------ C:\WINDOWS\system32\netman.dll
2007-11-03 13:35 1,006,592 --a------ C:\WINDOWS\system32\esent.dll
2007-11-03 13:34 25,600 --------- C:\WINDOWS\system32\verclsid.exe
2007-11-03 13:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-03 13:26 83,456 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-11-03 13:26 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-11-03 13:05 125 --a------ C:\WINDOWS\system32\orsbns.bat
2007-11-03 12:58 35,328 --a------ C:\WINDOWS\system32\ljjjhgg.dll
2007-11-02 21:02 40,960 --a------ C:\WINDOWS\system32\cazvky.exe
2007-11-02 21:02 12,288 --a------ C:\WINDOWS\system32\eqaijawh.exe
2007-11-02 19:50 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-11-02 19:50 36,864 --a--c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2007-11-02 19:49 <REP> d--h----- C:\WINDOWS\$hf_mig$
2007-11-02 19:49 1,110,528 --a------ C:\WINDOWS\system32\msxml3.dll
2007-11-02 14:43 <REP> d-------- C:\WINDOWS\system32\bits
2007-11-02 14:28 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-11-02 14:28 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-11-02 14:28 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-11-02 14:28 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-11-02 14:28 170,776 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-11-02 14:28 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-11-02 14:27 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 14:19 <REP> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-01 10:34 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2007-11-01 10:34 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-10-31 15:58 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2007-10-31 15:55 <REP> d-------- C:\WINDOWS\Downloaded Installations
2007-10-30 10:01 <REP> d-------- C:\Documents and Settings\Sylvain\Contacts
2007-10-30 10:00 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 09:52 <REP> d-------- C:\Program Files\MSN Messenger
2007-10-30 09:27 <REP> d-------- C:\Program Files\WhatsRunning
2007-10-30 09:23 <REP> d-------- C:\Program Files\Google
2007-10-30 09:23 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-30 09:20 <REP> d-------- C:\Program Files\Port Detective
2007-10-30 09:20 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-10-30 09:09 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\Grisoft
2007-10-29 19:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 19:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 19:42 <REP> d---s---- C:\Documents and Settings\Sylvain\UserData

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 21:22 6,343,712 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 21:19 86,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 21:19 19,712 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-11 21:19 188,192 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 21:11 --------- d-----w C:\Program Files\Kaspersky Lab
2007-10-29 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 17:41 --------- d-----w C:\Program Files\Kit ADSL
2007-10-29 17:41 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2007-10-29 17:40 --------- d-----w C:\Program Files\CCleaner
2007-10-29 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 17:21 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-29 17:18 --------- d-----w C:\Program Files\Services en ligne
2007-10-29 17:17 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2007-10-29 17:07 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2007-10-29 17:07 --------- d-----w C:\Program Files\Fichiers communs\ODBC
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D5AB83E-B256-42EB-A0AA-D58796CBAEC1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{419ad68f-adf2-48e9-b757-9e8f11fa8946}]
C:\WINDOWS\System32\jobnap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c8a2e720-c2e2-46d2-a86e-d02ce0c77f3c}]
2007-11-07 11:34 79936 --a------ C:\WINDOWS\System32\ogbfrssq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09]
"@"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 10:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jobnap]
jobnap.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhgg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvotkcuq]
uvotkcuq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\ljjgh.dll


*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 22:21:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 22:25:00 - machine was rebooted
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32:38, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sylvain\Bureau\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.neuf.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D5AB83E-B256-42EB-A0AA-D58796CBAEC1} - (no file)
O2 - BHO: (no name) - {419ad68f-adf2-48e9-b757-9e8f11fa8946} - C:\WINDOWS\System32\jobnap.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - (no file)
O2 - BHO: {c3f77c0e-c20d-e68a-2d64-2e2c027e2a8c} - {c8a2e720-c2e2-46d2-a86e-d02ce0c77f3c} - C:\WINDOWS\System32\ogbfrssq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5090] cmd /c del "C:\WINDOWS\system32\uvotkcuq.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: Antivirus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - Winlogon Notify: jobnap - jobnap.dll (file missing)
O20 - Winlogon Notify: ljjjhgg - C:\WINDOWS\
O20 - Winlogon Notify: uvotkcuq - uvotkcuq.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5318 bytes



#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2007 - 03:51 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\tjliwxxs.exe
C:\WINDOWS\system32\vuabbprm.dll
C:\WINDOWS\system32\ogbfrssq.dll
C:\WINDOWS\system32\aquxvyhj.exe
C:\WINDOWS\system32\ayjmvdrj.dll
C:\WINDOWS\system32\oghiysc.bat
C:\WINDOWS\system32\orsbns.bat
C:\WINDOWS\system32\ljjjhgg.dll
C:\WINDOWS\system32\cazvky.exe
C:\WINDOWS\system32\eqaijawh.exe
C:\WINDOWS\System32\jobnap.dll
C:\WINDOWS\System32\ogbfrssq.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D5AB83E-B256-42EB-A0AA-D58796CBAEC1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{419ad68f-adf2-48e9-b757-9e8f11fa8946}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c8a2e720-c2e2-46d2-a86e-d02ce0c77f3c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jobnap]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvotkcuq]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 syl20

syl20

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 November 2007 - 04:15 PM

hi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:43, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sylvain\Bureau\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.neuf.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5090] cmd /c del "C:\WINDOWS\system32\uvotkcuq.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: Antivirus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4810 bytes




ComboFix 07-11-08.1 - Sylvain 2007-11-11 22:12:41.1 - NTFSx86
Running from: C:\Documents and Settings\Sylvain\Bureau\ComboFix.exe
* Created a new restore point
.

Incapable d'obtenir les privilèges Système

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Démarrer\Live Safety Center.lnk
C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.lnk
C:\Documents and Settings\Sylvain\Bureau\Live Safety Center.lnk
C:\Documents and Settings\Sylvain\Bureau\Online Security Guide.lnk
C:\Documents and Settings\Sylvain\Favoris\Online Security Guide.lnk
C:\WINDOWS\system32\hgjjl.bak1
C:\WINDOWS\system32\hgjjl.bak2
C:\WINDOWS\system32\hgjjl.ini
C:\WINDOWS\system32\hgjjl.ini2
C:\WINDOWS\system32\hgjjl.tmp
C:\WINDOWS\system32\ljjgh.dll
C:\WINDOWS\system32\qknovhnf.dll
C:\WINDOWS\system32\qohlrdft.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))))))))
.

2007-11-11 22:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 17:32 71,232 --a------ C:\WINDOWS\system32\tjliwxxs.exe
2007-11-09 21:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-09 20:49 <REP> d-------- C:\Program Files\eMule
2007-11-09 14:40 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\Talkback
2007-11-09 14:39 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-07 11:37 86,080 --a------ C:\WINDOWS\system32\vuabbprm.dll
2007-11-07 11:34 79,936 --a------ C:\WINDOWS\system32\ogbfrssq.dll
2007-11-07 11:30 71,232 --a------ C:\WINDOWS\system32\aquxvyhj.exe
2007-11-07 11:29 145,984 --a------ C:\WINDOWS\system32\ayjmvdrj.dll
2007-11-04 12:16 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\vlc
2007-11-04 12:13 <REP> d-------- C:\Program Files\VideoLAN
2007-11-03 18:01 123 --a------ C:\WINDOWS\system32\oghiysc.bat
2007-11-03 13:41 154,624 --a------ C:\WINDOWS\system32\netman.dll
2007-11-03 13:35 1,006,592 --a------ C:\WINDOWS\system32\esent.dll
2007-11-03 13:34 25,600 --------- C:\WINDOWS\system32\verclsid.exe
2007-11-03 13:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-03 13:26 83,456 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-11-03 13:26 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-11-03 13:05 125 --a------ C:\WINDOWS\system32\orsbns.bat
2007-11-03 12:58 35,328 --a------ C:\WINDOWS\system32\ljjjhgg.dll
2007-11-02 21:02 40,960 --a------ C:\WINDOWS\system32\cazvky.exe
2007-11-02 21:02 12,288 --a------ C:\WINDOWS\system32\eqaijawh.exe
2007-11-02 19:50 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-11-02 19:50 36,864 --a--c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2007-11-02 19:49 <REP> d--h----- C:\WINDOWS\$hf_mig$
2007-11-02 19:49 1,110,528 --a------ C:\WINDOWS\system32\msxml3.dll
2007-11-02 14:43 <REP> d-------- C:\WINDOWS\system32\bits
2007-11-02 14:28 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-11-02 14:28 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-11-02 14:28 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-11-02 14:28 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-11-02 14:28 170,776 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-11-02 14:28 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-11-02 14:27 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 14:19 <REP> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-01 10:34 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2007-11-01 10:34 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-10-31 15:58 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2007-10-31 15:55 <REP> d-------- C:\WINDOWS\Downloaded Installations
2007-10-30 10:01 <REP> d-------- C:\Documents and Settings\Sylvain\Contacts
2007-10-30 10:00 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 09:52 <REP> d-------- C:\Program Files\MSN Messenger
2007-10-30 09:27 <REP> d-------- C:\Program Files\WhatsRunning
2007-10-30 09:23 <REP> d-------- C:\Program Files\Google
2007-10-30 09:23 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-30 09:20 <REP> d-------- C:\Program Files\Port Detective
2007-10-30 09:20 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-10-30 09:09 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\Grisoft
2007-10-29 19:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 19:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 19:42 <REP> d---s---- C:\Documents and Settings\Sylvain\UserData

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 21:22 6,343,712 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 21:19 86,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 21:19 19,712 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-11 21:19 188,192 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 21:11 --------- d-----w C:\Program Files\Kaspersky Lab
2007-10-29 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 17:41 --------- d-----w C:\Program Files\Kit ADSL
2007-10-29 17:41 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2007-10-29 17:40 --------- d-----w C:\Program Files\CCleaner
2007-10-29 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 17:21 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-29 17:18 --------- d-----w C:\Program Files\Services en ligne
2007-10-29 17:17 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2007-10-29 17:07 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2007-10-29 17:07 --------- d-----w C:\Program Files\Fichiers communs\ODBC
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D5AB83E-B256-42EB-A0AA-D58796CBAEC1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{419ad68f-adf2-48e9-b757-9e8f11fa8946}]
C:\WINDOWS\System32\jobnap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c8a2e720-c2e2-46d2-a86e-d02ce0c77f3c}]
2007-11-07 11:34 79936 --a------ C:\WINDOWS\System32\ogbfrssq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09]
"@"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 10:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jobnap]
jobnap.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhgg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvotkcuq]
uvotkcuq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\ljjgh.dll


*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 22:21:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 22:25:00 - machine was rebooted
.
--- E O F ---


#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2007 - 04:25 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\tjliwxxs.exe
C:\WINDOWS\system32\vuabbprm.dll
C:\WINDOWS\system32\ogbfrssq.dll
C:\WINDOWS\system32\aquxvyhj.exe
C:\WINDOWS\system32\ayjmvdrj.dll
C:\WINDOWS\system32\oghiysc.bat
C:\WINDOWS\system32\orsbns.bat
C:\WINDOWS\system32\ljjjhgg.dll
C:\WINDOWS\system32\cazvky.exe
C:\WINDOWS\system32\eqaijawh.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\System32\jobnap.dll
C:\WINDOWS\System32\ogbfrssq.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D5AB83E-B256-42EB-A0AA-D58796CBAEC1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{419ad68f-adf2-48e9-b757-9e8f11fa8946}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c8a2e720-c2e2-46d2-a86e-d02ce0c77f3c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jobnap]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjhgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvotkcuq]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 syl20

syl20

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 November 2007 - 04:41 PM

ComboFix 07-11-08.1 - Sylvain 2007-11-11 23:33:58.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.146 [GMT 1:00]
Running from: C:\Documents and Settings\Sylvain\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sylvain\Bureau\cfscript.txt
* Created a new restore point

FILE
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\aquxvyhj.exe
C:\WINDOWS\system32\ayjmvdrj.dll
C:\WINDOWS\system32\cazvky.exe
C:\WINDOWS\system32\eqaijawh.exe
C:\WINDOWS\System32\jobnap.dll
C:\WINDOWS\system32\ljjjhgg.dll
C:\WINDOWS\System32\ogbfrssq.dll
C:\WINDOWS\system32\ogbfrssq.dll
C:\WINDOWS\system32\oghiysc.bat
C:\WINDOWS\system32\orsbns.bat
C:\WINDOWS\system32\tjliwxxs.exe
C:\WINDOWS\system32\vuabbprm.dll
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\iun6002.exe

.
((((((((((((((((((((((((((((( Fichiers créés 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))))))))
.

2007-11-11 22:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 21:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-09 20:49 <REP> d-------- C:\Program Files\eMule
2007-11-09 14:40 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\Talkback
2007-11-09 14:39 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-04 12:16 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\vlc
2007-11-04 12:13 <REP> d-------- C:\Program Files\VideoLAN
2007-11-03 13:41 154,624 --a------ C:\WINDOWS\system32\netman.dll
2007-11-03 13:35 1,006,592 --a------ C:\WINDOWS\system32\esent.dll
2007-11-03 13:34 25,600 --------- C:\WINDOWS\system32\verclsid.exe
2007-11-03 13:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-03 13:26 83,456 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-11-03 13:26 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-11-02 19:50 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-11-02 19:50 36,864 --a--c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2007-11-02 19:49 <REP> d--h----- C:\WINDOWS\$hf_mig$
2007-11-02 19:49 1,110,528 --a------ C:\WINDOWS\system32\msxml3.dll
2007-11-02 14:43 <REP> d-------- C:\WINDOWS\system32\bits
2007-11-02 14:28 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-11-02 14:28 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-11-02 14:28 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-11-02 14:28 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-11-02 14:28 170,776 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-11-02 14:28 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-11-02 14:27 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 14:19 <REP> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-01 10:34 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2007-11-01 10:34 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-10-31 15:58 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2007-10-31 15:55 <REP> d-------- C:\WINDOWS\Downloaded Installations
2007-10-30 10:01 <REP> d-------- C:\Documents and Settings\Sylvain\Contacts
2007-10-30 10:00 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 09:52 <REP> d-------- C:\Program Files\MSN Messenger
2007-10-30 09:27 <REP> d-------- C:\Program Files\WhatsRunning
2007-10-30 09:23 <REP> d-------- C:\Program Files\Google
2007-10-30 09:23 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-30 09:20 <REP> d-------- C:\Program Files\Port Detective
2007-10-30 09:09 <REP> d-------- C:\Documents and Settings\Sylvain\Application Data\Grisoft
2007-10-29 19:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 19:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 19:42 <REP> d---s---- C:\Documents and Settings\Sylvain\UserData

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 22:37 195,104 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 22:36 6,476,320 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 22:36 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-11 22:03 88,136 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 22:03 20,120 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 17:41 --------- d-----w C:\Program Files\Kit ADSL
2007-10-29 17:41 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2007-10-29 17:40 --------- d-----w C:\Program Files\CCleaner
2007-10-29 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 17:21 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-29 17:18 --------- d-----w C:\Program Files\Services en ligne
2007-10-29 17:17 --------- d-----w C:\Program Files\Fichiers communs\MSSoap
2007-10-29 17:07 --------- d-----w C:\Program Files\Fichiers communs\SpeechEngines
2007-10-29 17:07 --------- d-----w C:\Program Files\Fichiers communs\ODBC
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_22.23.35.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-11 21:21:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-11 22:04:32 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-11 21:21:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2007-11-11 22:04:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2007-11-11 21:21:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-11 22:11:01 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-29 17:33:22 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-11 21:30:34 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 17:33:22 48,616 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2007-11-11 21:30:34 48,616 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2007-10-29 17:33:22 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-11 21:30:34 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-29 17:33:22 367,658 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2007-11-11 21:30:34 367,658 ----a-w C:\WINDOWS\system32\perfh00C.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe" [2007-03-16 11:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 10:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingC5090"=cmd /c del "C:\WINDOWS\system32\uvotkcuq.dll_old"

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Outil de mise … jour Google.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-30 09:23:33]


.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 23:37:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 23:38:58
C:\ComboFix2.txt ... 2007-11-11 23:08
C:\ComboFix3.txt ... 2007-11-11 22:25
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:07, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Sylvain\Bureau\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.neuf.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5090] cmd /c del "C:\WINDOWS\system32\uvotkcuq.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: Antivirus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4727 bytes

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2007 - 04:45 PM

Fix these 2 leftovers
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

Close ALL windows and browsers except HijackThis and click "Fix checked"

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Posted Image
  • If shown the disclaimer, Select "2"

Here's my usual all clean post

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
    You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.
Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 syl20

syl20

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 November 2007 - 05:05 PM

DONE thank you. Just tell me in what consisted this operation concretly,was it a kind of cleaning? See you Sylvain

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2007 - 05:12 PM

The files we cleaned like this were a Vundo infection. C:\WINDOWS\system32\hgjjl.bak1 C:\WINDOWS\system32\hgjjl.bak2 C:\WINDOWS\system32\hgjjl.ini C:\WINDOWS\system32\hgjjl.ini2 C:\WINDOWS\system32\hgjjl.tmp C:\WINDOWS\system32\ljjgh.dll C:\WINDOWS\system32\qknovhnf.dll C:\WINDOWS\system32\qohlrdft.dll

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2007 - 05:29 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users