Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Mljji Nightmare

Started by karaya , Jan 21 2008 01:11 AM

  • This topic is locked This topic is locked
11 replies to this topic

#1 karaya

karaya

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 21 January 2008 - 01:11 AM

hello to all and since I'm a new member i hope you will guide me to resolve this serious problem

i spent the whole last night trying to get rid of this stupid virus but i couldn't

i inspect all kind of forums hopping to find a solution but iv noticed that something that works for other may not for me .

now lets get to it , i have this Mljji virus in my PC and did damage my explorer.exe and Iexplorer.exe since i cant now see my desktop and cant run IE , i did all what i could (Repair install , delete virus files using DOS,restored a recent registry backup , and tired to prevent at start up using Security task manager(i quarantined Mljji.exe + Mljji.dll+ some other dll that was shown as dangerous) but didn't work it was always waiting me at every start up , btw im using Kaspersky antivirus and i scanned the files but couldnt they were shown as safe :huh:
and even quarantined em with KAV but again nothing changed :wacko: :wacko:

oh and yeah since i made a repair install of XP i have fresh SP 2 wich means i dont have the latest secuirity updated for IE and such ,
i tried to reinstall IE 7 but i couldn't do it since Iexplorer is not accessible :wacko:

anyway im posting Hijackthis log right away and i hope you help me with what you can :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:18, on 21-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\GameSpot\DownloadManager_Win32.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Menara
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F3 - REG:win.ini: load=C:\WINDOWS\system32\mljji.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] d:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RESEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Abonnés - {F9487CA9-BFA4-43A8-B3A0-600AE38B8B8A} - http://abonne.menara.ma (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{522B9A3A-18D1-4B23-BA5E-C1955A835399}: NameServer = 212.217.0.14 196.217.246.210
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8919 bytes

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 09:00 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 karaya

karaya

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 21 January 2008 - 10:13 AM

First thank you very much for looking at my problem :)

and about what you asked here is what happened . i did run Combofix first time and noticed it deleted the virus and some other dll's but also some programs exe's and then it started the second window and as soon as iv seen the virus name in it my pc suddenly restarted by itself , after that my desktop was loaded normally and the performance increased dramatically but i couldn't get a log of the first scan since my pc restarted , so i started combofix for the second time and after the scan my pc restarted but this time it was normal since combofix notified me about it .

PS : sorry for my english

here are the logs : ComboFix :

ComboFix 08-01-20.1 - Admin 01/21/2008 15:48:13.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.966.1036.18.652 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Bureau\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

<pre>
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe ---> QooBox
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe ---> QooBox
C:\Program Files\CyberLink\PowerDVD\Language\Language .exe ---> QooBox
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe ---> QooBox
C:\WINDOWS\adiras .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((( Fichiers créés 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans cet espace de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-21 15:53 476,120 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 15:53 35,372,320 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 15:53 252,968 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-21 15:53 2,669,856 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-21 06:18 --------- d-----w C:\Program Files\The Noble Qur'an V3.0
2008-01-21 04:26 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-21 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-21 04:16 --------- d-s---w C:\Program Files\Xfire
2008-01-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-20 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-20 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 22:56 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-20 21:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\PrevxCSI
2008-01-20 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-20 21:28 --------- d-----w C:\Program Files\MSN Messenger
2008-01-20 21:22 --------- d-----w C:\Program Files\PowerISO
2008-01-20 15:54 --------- d-----w C:\Program Files\DAP
2008-01-20 05:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\Xfire
2008-01-19 22:38 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-19 20:43 --------- d-----w C:\Documents and Settings\Admin\Application Data\teamspeak2
2008-01-19 18:13 22,328 -c--a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-17 21:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 17:39 --------- d-----w C:\Program Files\Real
2008-01-16 17:39 --------- d-----w C:\Program Files\Fichiers communs\xing shared
2008-01-16 17:39 --------- d-----w C:\Program Files\Fichiers communs\Real
2008-01-12 21:03 --------- d-----w C:\Documents and Settings\Admin\Application Data\Paltalk
2008-01-12 20:57 --------- d-----w C:\Program Files\Paltalk Messenger
2008-01-12 01:23 --------- d-----w C:\Program Files\RegCleaner
2008-01-12 01:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2008-01-08 14:59 22,328 ----a-w C:\Documents and Settings\Admin\Application Data\PnkBstrK.sys
2008-01-07 18:34 --------- d-----w C:\Documents and Settings\Admin\Application Data\Orbit
2008-01-01 23:13 --------- d-----w C:\Program Files\Xilisoft
2007-12-31 20:10 --------- d-----w C:\Program Files\SmartPCTools
2007-12-31 17:15 --------- d-----w C:\Program Files\Common Files
2007-12-29 00:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\ChessBase
2007-12-25 23:26 --------- d-----w C:\Program Files\Fichiers communs\ACD Systems
2007-12-25 23:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-12-23 14:48 --------- d-----w C:\Program Files\ATI
2007-12-22 18:33 --------- d-----w C:\Program Files\RM to MP3 Converter
2007-12-21 10:33 --------- d-----w C:\Program Files\BitLord
2007-12-21 10:30 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-12-21 04:19 --------- d-----w C:\Program Files\Teleport Pro
2007-12-21 04:15 --------- d-----w C:\Program Files\RADVideo
2007-12-21 04:15 --------- d-----w C:\Program Files\QuickTime
2007-12-21 03:50 --------- d-----w C:\Program Files\GameSpy Arcade
2007-12-21 00:05 90,112 ----a-w C:\Documents and Settings\Admin\Application Data\ezpinst.exe
2007-12-20 21:18 --------- d-----w C:\Documents and Settings\Admin\Application Data\SuperAdBlocker.com
2007-12-20 18:54 82,258 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2007-12-20 18:54 82,258 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2007-12-20 02:34 --------- d-----w C:\Program Files\D-Tools
2007-12-19 23:23 --------- d-----w C:\Program Files\CureROM
2007-12-19 17:49 --------- d-----w C:\Program Files\MSN Webcam Recorder
2007-12-19 17:49 --------- d-----w C:\Program Files\Amiglobe 2001
2007-12-19 17:48 --------- d-----w C:\Program Files\UltraISO
2007-12-19 15:30 --------- d-----w C:\Program Files\Kaspersky Lab
2007-12-14 11:49 --------- d-----w C:\Program Files\Fichiers communs\Blizzard Entertainment
2007-12-13 14:49 --------- d-----w C:\Program Files\StuffPlug3
2007-12-12 19:20 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-08 09:29 21,504 ----a-w C:\WINDOWS\jestertb.dll
2007-12-06 23:53 --------- d-----w C:\Program Files\HyperLobbyPro3
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-01 23:42 --------- d-----w C:\Program Files\SpeedFan
2007-11-21 21:08 --------- d-----w C:\Program Files\LimeWire
2007-11-21 10:11 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-21 10:11 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-21 09:53 --------- d-----w C:\Documents and Settings\Admin\Application Data\My Battle for Middle-earth™ II Files
2007-10-23 20:33 73,216 -c--a-w C:\WINDOWS\ST6UNST.EXE
2007-10-23 20:33 249,856 -c--a-w C:\WINDOWS\Setup1.exe
2007-04-14 11:31 284 ----a-w C:\Documents and Settings\Admin\Application Data\ViewerApp.dat
2007-01-03 17:19 47,360 ----a-w C:\Documents and Settings\Admin\Application Data\pcouffin.sys
.
<pre>
----a-w		   307,200 2008-01-21 01:31:24  C:\Program Files\ATI\ATICustomerCare\ATICustomerCare .exe
----a-w		   185,896 2008-01-20 18:24:17  C:\Program Files\Fichiers communs\Real\Update_OB\realsched .exe
----a-w		   135,168 2008-01-20 16:40:03  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 1,667,584 2008-01-20 22:36:23  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,496 2008-01-20 21:27:04  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		   200,704 2008-01-20 18:24:13  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w		 1,052,920 2008-01-20 17:01:55  C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper .exe
----a-w		   155,648 2008-01-21 02:25:55  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2004 12:00 PM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"TuneUp MemOptimizer"="D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [01/08/2008 01:31 PM 196864]
"Registry Repair Wizard Scheduler"="C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" [ ]
"DAEMON Tools Lite"="d:\Program Files\DAEMON Tools Lite\daemon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/2007 12:51 PM 218376]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [ ]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [ ]
"adiras"="adiras.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/05/2004 12:00 PM 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"= NTSpool.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AAF23D8-4489-43D8-A064-319D1254ABCA}"= C:\WINDOWS\system32\wvustrq.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvustrq]
wvustrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Anti-Blaxx Manager"=C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

R0 ALiAGP;ALi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\ALiAGP.sys [08/05/2003 11:20 AM]
R0 HFXP2;HFXP2;C:\WINDOWS\system32\DRIVERS\HFXP2.SYS [12/30/2004 03:49 PM]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [07/05/2006 12:46 PM]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [12/06/2005 03:11 PM]
R2 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe [12/20/2007 07:01 PM]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [11/23/2006 01:36 AM]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [12/10/2002 09:11 AM]
R3 ALI5261;ALi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ALILAN.SYS [09/05/2003 03:07 PM]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [04/04/2007 02:58 PM]
S1 SABKUTIL;SABKUTIL;D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S2 AKEProtect;AKEProtect;C:\Program Files\Anti Keylogger Elite\AKEProtect.sys []
S2 UxTuneUp;TuneUp Extension de thème;C:\WINDOWS\System32\svchost.exe [08/05/2004 12:00 PM]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys []
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [04/01/2003 10:23 AM]
S3 DrvFltIp;DrvFltIp;d:\Program Files\MRBDG\DrvFltIp.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [10/15/2002 10:41 PM]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [01/11/2008 08:13 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6484c867-ad63-11dc-8816-4d6564696130}]
\Shell\AutoRun\command - J:\RavMon.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3b44f49-c0a3-11dc-9d23-4d6564696130}]
\Shell\AutoRun\command - H:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B5874CD-4401-EF6B-0508-070600050402}]
C:\WINDOWS\system32\sysdllc32.exe
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-01-18 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 15:56:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\xfire_lsp_9028.dll
.
Completion time: 01/21/2008 16:00:32 - machine was rebooted [Admin]
ComboFix-quarantined-files.txt 2008-01-21 16:00:28
.
2008-01-21 15:46:42 --- E O F ---




-----------------------------------------------------------------------------------


HijackThis :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:00, on 21-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] d:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RESEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Abonnés - {F9487CA9-BFA4-43A8-B3A0-600AE38B8B8A} - http://abonne.menara.ma (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{522B9A3A-18D1-4B23-BA5E-C1955A835399}: NameServer = 212.217.0.14 196.217.246.210
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: wvustrq - wvustrq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8615 bytes

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 10:32 AM

Open notepad and copy/paste the text in the Codebox below into it:


File::
C:\WINDOWS\system32\mljji.exe
C:\WINDOWS\system32\wvustrq.dll
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\sysdllc32.exe

RenV::
C:\Program Files\ATI\ATICustomerCare\ATICustomerCare .exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper .exe
C:\WINDOWS\system32\NeroCheck .exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\"{5AAF23D8-4489-43D8-A064-319D1254ABCA}"]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvustrq]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6484c867-ad63-11dc-8816-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3b44f49-c0a3-11dc-9d23-4d6564696130}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B5874CD-4401-EF6B-0508-070600050402}]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 karaya

karaya

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 21 January 2008 - 11:31 AM

hello once more :) i did as you requested and here is the log and yeah my pc runs great now :)

PS: what about the files deleted by Combofix ? i mean this time i noticed NTspool.exe was deleted ? wont that damage my OS or something ?


ComboFix 08-01-20.1 - Admin 01/21/2008 17:14:14.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.966.1036.18.599 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Bureau\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\mljji.exe
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\sysdllc32.exe
C:\WINDOWS\system32\wvustrq.dll
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\NTSpool.exe

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier cr‚‚ dans cet espace de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 17:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-21 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-21 17:20 35,399,200 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 17:19 478,280 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 17:19 254,168 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-21 17:19 2,669,856 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-21 17:14 --------- d-----w C:\Program Files\PowerISO
2008-01-21 17:14 --------- d-----w C:\Program Files\MSN Messenger
2008-01-21 16:22 --------- d-----w C:\Program Files\Java
2008-01-21 06:18 --------- d-----w C:\Program Files\The Noble Qur'an V3.0
2008-01-21 04:26 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-21 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-21 04:16 --------- d-s---w C:\Program Files\Xfire
2008-01-20 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-20 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 22:56 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-20 21:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\PrevxCSI
2008-01-20 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-20 15:54 --------- d-----w C:\Program Files\DAP
2008-01-20 05:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\Xfire
2008-01-19 22:38 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-19 20:43 --------- d-----w C:\Documents and Settings\Admin\Application Data\teamspeak2
2008-01-19 18:13 22,328 -c--a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-17 21:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 17:39 --------- d-----w C:\Program Files\Real
2008-01-16 17:39 --------- d-----w C:\Program Files\Fichiers communs\xing shared
2008-01-16 17:39 --------- d-----w C:\Program Files\Fichiers communs\Real
2008-01-12 21:03 --------- d-----w C:\Documents and Settings\Admin\Application Data\Paltalk
2008-01-12 20:57 --------- d-----w C:\Program Files\Paltalk Messenger
2008-01-12 01:23 --------- d-----w C:\Program Files\RegCleaner
2008-01-12 01:16 --------- d-----w C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2008-01-08 14:59 22,328 ----a-w C:\Documents and Settings\Admin\Application Data\PnkBstrK.sys
2008-01-07 18:34 --------- d-----w C:\Documents and Settings\Admin\Application Data\Orbit
2008-01-01 23:13 --------- d-----w C:\Program Files\Xilisoft
2007-12-31 20:10 --------- d-----w C:\Program Files\SmartPCTools
2007-12-31 17:15 --------- d-----w C:\Program Files\Common Files
2007-12-29 00:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\ChessBase
2007-12-25 23:26 --------- d-----w C:\Program Files\Fichiers communs\ACD Systems
2007-12-25 23:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-12-23 14:48 --------- d-----w C:\Program Files\ATI
2007-12-22 18:33 --------- d-----w C:\Program Files\RM to MP3 Converter
2007-12-21 10:33 --------- d-----w C:\Program Files\BitLord
2007-12-21 10:30 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-12-21 04:19 --------- d-----w C:\Program Files\Teleport Pro
2007-12-21 04:15 --------- d-----w C:\Program Files\RADVideo
2007-12-21 04:15 --------- d-----w C:\Program Files\QuickTime
2007-12-21 03:50 --------- d-----w C:\Program Files\GameSpy Arcade
2007-12-21 00:05 90,112 ----a-w C:\Documents and Settings\Admin\Application Data\ezpinst.exe
2007-12-20 21:18 --------- d-----w C:\Documents and Settings\Admin\Application Data\SuperAdBlocker.com
2007-12-20 18:54 82,258 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2007-12-20 18:54 82,258 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2007-12-20 02:34 --------- d-----w C:\Program Files\D-Tools
2007-12-19 23:23 --------- d-----w C:\Program Files\CureROM
2007-12-19 17:49 --------- d-----w C:\Program Files\MSN Webcam Recorder
2007-12-19 17:49 --------- d-----w C:\Program Files\Amiglobe 2001
2007-12-19 17:48 --------- d-----w C:\Program Files\UltraISO
2007-12-19 15:30 --------- d-----w C:\Program Files\Kaspersky Lab
2007-12-14 11:49 --------- d-----w C:\Program Files\Fichiers communs\Blizzard Entertainment
2007-12-13 14:49 --------- d-----w C:\Program Files\StuffPlug3
2007-12-12 19:20 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-08 09:29 21,504 ----a-w C:\WINDOWS\jestertb.dll
2007-12-06 23:53 --------- d-----w C:\Program Files\HyperLobbyPro3
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-01 23:42 --------- d-----w C:\Program Files\SpeedFan
2007-11-21 21:08 --------- d-----w C:\Program Files\LimeWire
2007-11-21 10:11 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-21 10:11 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-21 09:53 --------- d-----w C:\Documents and Settings\Admin\Application Data\My Battle for Middle-earth™ II Files
2007-10-23 20:33 73,216 -c--a-w C:\WINDOWS\ST6UNST.EXE
2007-10-23 20:33 249,856 -c--a-w C:\WINDOWS\Setup1.exe
2007-04-14 11:31 284 ----a-w C:\Documents and Settings\Admin\Application Data\ViewerApp.dat
2007-01-03 17:19 47,360 ----a-w C:\Documents and Settings\Admin\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@Mon 01-21-2008_16.00.01.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 15:35:10 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 17:13:58 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-21 15:35:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 17:13:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-21 15:35:11 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-21 17:13:58 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-21 15:35:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 17:13:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-21 15:35:11 13,697,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 17:13:59 13,713,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-21 15:35:12 385,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 17:13:59 385,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 02:25:55 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
- 2008-01-21 06:59:19 4,212 -c-h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-01-21 17:04:22 4,212 -c-h--w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2004 12:00 PM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [01/20/2008 10:36 PM 1667584]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/20/2008 09:27 PM 5674496]
"TuneUp MemOptimizer"="D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [01/08/2008 01:31 PM 196864]
"Registry Repair Wizard Scheduler"="C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" [01/20/2008 05:01 PM 1052920]
"DAEMON Tools Lite"="d:\Program Files\DAEMON Tools Lite\daemon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/21/2008 02:25 AM 155648]
"smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [01/20/2008 06:24 PM 200704]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/2007 12:51 PM 218376]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [01/21/2008 01:31 AM 307200]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [01/20/2008 06:24 PM 185896]
"adiras"="adiras.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/05/2004 12:00 PM 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AAF23D8-4489-43D8-A064-319D1254ABCA}"= C:\WINDOWS\system32\wvustrq.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Anti-Blaxx Manager"=C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

R0 ALiAGP;ALi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\ALiAGP.sys [08/05/2003 11:20 AM]
R0 HFXP2;HFXP2;C:\WINDOWS\system32\DRIVERS\HFXP2.SYS [12/30/2004 03:49 PM]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [07/05/2006 12:46 PM]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [12/06/2005 03:11 PM]
R2 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe [12/20/2007 07:01 PM]
R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [11/23/2006 01:36 AM]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [12/10/2002 09:11 AM]
R3 ALI5261;ALi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ALILAN.SYS [09/05/2003 03:07 PM]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [04/04/2007 02:58 PM]
S1 SABKUTIL;SABKUTIL;D:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S2 AKEProtect;AKEProtect;C:\Program Files\Anti Keylogger Elite\AKEProtect.sys []
S2 UxTuneUp;TuneUp Extension de thème;C:\WINDOWS\System32\svchost.exe [08/05/2004 12:00 PM]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys []
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [04/01/2003 10:23 AM]
S3 DrvFltIp;DrvFltIp;d:\Program Files\MRBDG\DrvFltIp.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [10/15/2002 10:41 PM]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [01/11/2008 08:13 PM]

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-01-18 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 17:21:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\xfire_lsp_9028.dll
.






-------------------------------------------------------------------



HIJACKTHIS :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:30:20, on 21-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "D:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] d:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RESEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Abonnés - {F9487CA9-BFA4-43A8-B3A0-600AE38B8B8A} - http://abonne.menara.ma (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{522B9A3A-18D1-4B23-BA5E-C1955A835399}: NameServer = 212.217.0.14 196.217.246.210
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8771 bytes

Completion time: 01/21/2008 17:26:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 17:26:25
ComboFix2.txt 2008-01-21 16:00:32
.
2008-01-21 16:25:10 --- E O F ---

Edited by karaya, 21 January 2008 - 11:31 AM.

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 01:51 PM

i mean this time i noticed NTspool.exe was deleted ? wont that damage my OS or something ?

That's not a legit file. NTSpool.exe is Trojan/Backdoor.

You should take the safe road and change ALL passwords. If you do any online banking or anything like that, you need to contact them and let them know you were infected with a Backdoor Trojan.

Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Note: I no longer suggest Zone Alarm

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Winpatrol


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 karaya

karaya

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 21 January 2008 - 04:32 PM

Great news :thumbup: and thank you very much for your time and help :) but i have a one more tiny problem :blush: since i made a repair install before i badly need to install windows latest security update . but for some reason when i click download i keep getting updates could not be downloaded so i went and downloaded Windows installer 3.1 manually but the problem still exists !!! I'm not sure if that because of some deleted file during the virus cleaning operation or what ?!! :( peace :)

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 04:40 PM

You can use windows sfc (system file checker) You'd need your XP CD to make this work.
Click Start> Run> type sfc /scannow Note the space.
(Note that there is a space between sfc and /scannow)

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 07:15 PM

For issues with windows updates:
This is a free service and toll-free call.

1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.

For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to this page and choose your region from the box in the upper right corner: http://support.micro...pr=SecurityHome

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#10 karaya

karaya

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 22 January 2008 - 08:04 AM

thank you very much once more :thumbup: and you can consider my problem as solved right now :D have a good day there and Peace .

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 January 2008 - 09:16 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 January 2008 - 09:17 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·