Jump to content


Trojans that won't go...

Started by mic, Nov 25 2007 12:48 AM

  • You cannot reply to this topic
28 replies to this topic

#1 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 25 November 2007 - 12:48 AM

Dear all,

First of all, I'd like to thank whoever will be able to help me, and also the mods and helpers on this site. I've been here on the past to gather information, and it is a great site.

So, here's the story. My antivirus (avast) alerted me a couple of days ago that a number of viruses and trojans were trying to penetrate my computer; some of them succeeded. I ran avast, as well as my antispyare programmes (CCleaner, Ad-Aware, and Spybot). It helped me eliminate a dozen malwares, but I keep having this window poping up telling me "Warning! Potential Spyware Operation! Your Computer is making..... Click YES to download spyware remover" (I refuse). It appears ever 5 minutes or so. Moreover, I completely lost access to the registry, control panel, and alt-ctrl-delete functions (I downloaded Vilma, but the files reappear each time I restart the PC). Also, I have the feeling that some files are suspect (timoty.exe, etc.).

So, I came here and followed your instructions. It found me a few spywares (like spools.exe), but the issue remains: I receive the same pop-up, which tells me that there are still issues on my computer. So, I would be so happy if somebody could tell me where the problem lies! Thank you so much in advance!

Bitdefender

BitDefender Online Scanner - Real Time Virus Report



Generated at: Sat, Nov 24, 2007 - 22:51:29


--------------------------------------------------------------------------------





Scan Info



Scanned Files
257278

Infected Files
1








Virus Detected



Trojan.Crypt.AB
1










--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.



SUPERAntispyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/25/2007 at 00:05 AM

Application Version : 3.9.1008

Core Rules Database Version : 3349
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 01:08:19

Memory items scanned : 517
Memory threats detected : 1
Registry items scanned : 5197
Registry threats detected : 1
File items scanned : 43753
File threats detected : 27

Worm.Rbot-LD
C:\WINDOWS\SYSTEM32\SPOOLS.EXE
C:\WINDOWS\SYSTEM32\SPOOLS.EXE
[dumprep] C:\WINDOWS\SYSTEM32\SPOOLS.EXE
C:\WINDOWS\Prefetch\SPOOLS.EXE-26BA5B7B.pf

Adware.Tracking Cookie
C:\Documents and Settings\michael\Cookies\michael@ad1.emediate[2].txt
C:\Documents and Settings\michael\Cookies\michael@a[1].txt
C:\Documents and Settings\michael\Cookies\michael@msnportal.112.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@adbrite[2].txt
C:\Documents and Settings\michael\Cookies\michael@0-www.sciencedirect.com.serlib0.essex.ac[1].txt
C:\Documents and Settings\michael\Cookies\michael@weborama[1].txt
C:\Documents and Settings\michael\Cookies\michael@xiti[1].txt
C:\Documents and Settings\michael\Cookies\michael@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@ads.prospect[1].txt
C:\Documents and Settings\michael\Cookies\michael@revsci[1].txt
C:\Documents and Settings\michael\Cookies\michael@nhl.112.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@cgi-bin[2].txt
C:\Documents and Settings\michael\Cookies\michael@adopt.euroclick[2].txt
C:\Documents and Settings\michael\Cookies\michael@adserver.mediarun[1].txt
C:\Documents and Settings\michael\Cookies\michael@serving-sys[2].txt
C:\Documents and Settings\michael\Cookies\michael@smartadserver[1].txt
C:\Documents and Settings\michael\Cookies\michael@tribalfusion[1].txt
C:\Documents and Settings\michael\Cookies\michael@tacoda[1].txt
C:\Documents and Settings\michael\Cookies\michael@4.adbrite[1].txt
C:\Documents and Settings\michael\Cookies\michael@questionmarket[1].txt
C:\Documents and Settings\michael\Cookies\michael@com.serlib0.essex.ac[2].txt
C:\Documents and Settings\michael\Cookies\michael@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\michael\Cookies\michael@bs.serving-sys[2].txt
C:\Documents and Settings\michael\Cookies\michael@metacafe.122.2o7[1].txt
C:\Documents and Settings\michael\Cookies\michael@ads.canalblog[1].txt

AVG Anti-spyware
---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

+ Créé à: 00:25:21 24.11.2007

+ Résultat de l'analyse:



C:\WINDOWS\devadwp.exe -> Downloader.Wixud.j : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@247realmedia[1].txt -> TrackingCookie.247realmedia : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@4.adbrite[2].txt -> TrackingCookie.Adbrite : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@adbrite[2].txt -> TrackingCookie.Adbrite : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@overture[1].txt -> TrackingCookie.Overture : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@questionmarket[2].txt -> TrackingCookie.Questionmarket : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@revsci[2].txt -> TrackingCookie.Revsci : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@serving-sys[1].txt -> TrackingCookie.Serving-sys : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@tacoda[1].txt -> TrackingCookie.Tacoda : Aucune action entreprise.
C:\Documents and Settings\michael\Cookies\michael@weborama[1].txt -> TrackingCookie.Weborama : Aucune action entreprise.


Fin du rapport

HighJackThis
Logfile of HijackThis v1.99.1
Scan saved at 00:45:08, on 25.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\msanton.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\Program Files\Norman \NPF\NPFMSG.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Norman \NPF\NPFSVICE.EXE
C:\Program Files\Dell\Logiciel Bluetooth\btsendto_explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Highjack\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers

communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5

\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program

Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: setings.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0

\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN

Client\vpngui.exe
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3

\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-

00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-

9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%

\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-

9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer =

192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1

\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4

\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4

\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4

\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-

Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel

Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program

Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program

Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman \NPF\NPFSVICE.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#2 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 02 December 2007 - 12:03 PM

Hi mic,
Unfortunately, you have several very dangerous infections, one of which is called Worm.Rbot-LD, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of the infection's backdoor functionality(i.e., remote control capability), the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet. (This infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).

If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
The following articles may be of assistance in your decision: Should you have any questions, please feel free to ask.

askey127
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#3 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 02 December 2007 - 06:18 PM

View Postaskey127, on Dec 2 2007, 12:03 PM, said:

Hi mic,
Unfortunately, you have several very dangerous infections, one of which is called Worm.Rbot-LD, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of the infection's backdoor functionality(i.e., remote control capability), the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet. (This infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).

If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
The following articles may be of assistance in your decision: Should you have any questions, please feel free to ask.

askey127

Hello askey127,

I would gladly accept your help on this matter!

mic

#4 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 02 December 2007 - 06:42 PM

mic,
-----------------------------------------------------------
You have two antivirus programs on your PC at the same time. They will conflict with each other and cause system instability and/or improper AntiVirus protection. Choose to keep just one: either the Avast or Norman Antivirus, and Uninstall the other, Using Start, Control Panel, Add/Remove Programs.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)
Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, paste the contents of the Report.txt in a reply, along with a new HijackThis log
askey127
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#5 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 02 December 2007 - 07:10 PM

View Postaskey127, on Dec 2 2007, 06:42 PM, said:

mic,
-----------------------------------------------------------
You have two antivirus programs on your PC at the same time. They will conflict with each other and cause system instability and/or improper AntiVirus protection. Choose to keep just one: either the Avast or Norman Antivirus, and Uninstall the other, Using Start, Control Panel, Add/Remove Programs.
-----------------------------------------------------------
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)
Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, paste the contents of the Report.txt in a reply, along with a new HijackThis log
askey127

Hello,

Thanks. Now, as your typical rookie, I am stuck at part 1: I have no access to my control panel. I tried a few days ago Vilma (when I didn't know the size of my issues), and removed the DisableTaskMgr and the DisableRegistryTools in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\, but I still have no access to my control panel (and these two files come again each time I launch my computer). As I suppose that it is important to do this part before doing the rest, I was wondering whether you had an idea to get me back the control of the control panel?

#6 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 02 December 2007 - 08:59 PM

You can run SDFix first if necessary.
----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here Choose the "Slim" version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Program(s), one at a time, that you want to uninstall, and click the Run Uninstaller
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#7 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 02 December 2007 - 10:08 PM

View Postaskey127, on Dec 2 2007, 08:59 PM, said:

You can run SDFix first if necessary.
----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here Choose the "Slim" version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Program(s), one at a time, that you want to uninstall, and click the Run Uninstaller

Ok, here are the SDFix and HJT logs:

SDFix

SDFix: Version 1.116

Run by michael on 02.12.2007 at 21:46

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ntio256

Path:
\??\C:\WINDOWS\system32\ntio256.sys

ntio256 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\3_exception.nls - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 21:54:23
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000091
"TracesSuccessful"=dword:00000006

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\FileMaker\\FileMaker Pro 6\\FileMaker Pro.exe"="C:\\Program Files\\FileMaker\\FileMaker Pro 6\\FileMaker Pro.exe:*:Enabled:FileMaker Pro"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"="C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe:*:Enabled:avast! Antivirus"
"C:\\WINDOWS\\SYSTEM32\\dlbtcoms.exe"="C:\\WINDOWS\\SYSTEM32\\dlbtcoms.exe:*:Enabled:Photo AIO Printer 922 Server"
"C:\\Program Files\\Skype\\Phone\\Skype1.exe"="C:\\Program Files\\Skype\\Phone\\Skype1.exe:*:Enabled:Skype1"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\michael\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\michael\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 30 Aug 2002 94,864 ..SH. --- "C:\WINDOWS\TWAIN.DLL"
Thu 19 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Sat 25 Sep 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Fichiers communs\Adobe\ESD\DLMCleanup.exe"
Mon 26 Apr 2004 1,206 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\ccReg.reg"
Sun 7 Mar 2004 1,206 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\ccReg_old.reg"
Sun 7 Mar 2004 12,368 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\CommonClient_old.reg"
Mon 26 Apr 2004 12,368 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\CommonClient.reg"
Mon 23 Jul 2007 139,776 A..H. --- "C:\Telechargements\Anti-trojan\LinkOptCheck\LinkOptCheck\swreg.exe"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5c703fe0947475848e966b61999878d1\BIT8.tmp"
Thu 1 Sep 2005 107,008 ...H. --- "C:\Documents and Settings\michael\Mes documents\Professionnel\Travail\Licra\~WRL1114.tmp"
Tue 28 Dec 2004 41,472 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0126.tmp"
Wed 29 Dec 2004 51,712 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0177.tmp"
Tue 28 Dec 2004 35,840 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0188.tmp"
Tue 28 Dec 2004 38,912 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0304.tmp"
Wed 29 Dec 2004 51,712 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0361.tmp"
Tue 28 Dec 2004 41,984 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0362.tmp"
Wed 29 Dec 2004 45,568 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0574.tmp"
Tue 28 Dec 2004 39,424 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL0976.tmp"
Tue 28 Dec 2004 37,376 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1090.tmp"
Wed 29 Dec 2004 45,056 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1115.tmp"
Wed 29 Dec 2004 52,736 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1424.tmp"
Wed 29 Dec 2004 47,104 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL1541.tmp"
Wed 29 Dec 2004 44,032 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2092.tmp"
Wed 29 Dec 2004 44,544 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2093.tmp"
Wed 29 Dec 2004 50,176 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2176.tmp"
Wed 29 Dec 2004 44,544 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2513.tmp"
Wed 29 Dec 2004 45,056 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2562.tmp"
Tue 28 Dec 2004 41,984 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2733.tmp"
Tue 28 Dec 2004 39,424 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL2962.tmp"
Wed 29 Dec 2004 46,080 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3002.tmp"
Tue 28 Dec 2004 36,352 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3169.tmp"
Tue 28 Dec 2004 39,424 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3595.tmp"
Tue 28 Dec 2004 38,400 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3741.tmp"
Wed 29 Dec 2004 42,496 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3794.tmp"
Wed 29 Dec 2004 43,520 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3964.tmp"
Wed 29 Dec 2004 48,128 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\2-SES - 2Šme ann‚e\Histoire Contemporaine II\~WRL3985.tmp"
Tue 5 Apr 2005 24,576 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire contemporaine II\~WRL2203.tmp"
Sun 4 Feb 2007 567,296 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\Interdisciplinary Seminar on Environmental Issues - Luterbacher and Wiegandt\~WRL3610.tmp"
Sun 15 Apr 2007 42,496 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL1978.tmp"
Sun 15 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL2556.tmp"
Sun 15 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL3171.tmp"
Sun 15 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL3294.tmp"
Fri 13 Apr 2007 40,960 ...H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\4-HEI - 2Šme\Political Science\International Political Economy - Dupont\~WRL3842.tmp"
Sat 9 Apr 2005 55,296 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire diplomatique et des relations internationales\Expos‚ sur le d‚mantŠlement de l'Empire italien pendant la DeuxiŠme Guerre mondiale\~WRL0397.tmp"
Sat 9 Apr 2005 64,512 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire diplomatique et des relations internationales\Expos‚ sur le d‚mantŠlement de l'Empire italien pendant la DeuxiŠme Guerre mondiale\~WRL3525.tmp"
Fri 8 Apr 2005 30,720 A..H. --- "C:\Documents and Settings\michael\Mes documents\Universit‚\Cours Milena\Histoire diplomatique et des relations internationales\Expos‚ sur le d‚mantŠlement de l'Empire italien pendant la DeuxiŠme Guerre mondiale\~WRL3822.tmp"
Thu 8 Sep 2005 192,512 A..H. --- "C:\Documents and Settings\michael\Mes documents\Professionnel\Travail\Licra\LICRA CH\Charte d'Utrecht\1ere phase\Pr‚paration\~WRL0515.tmp"
Thu 8 Sep 2005 0 A..H. --- "C:\Documents and Settings\michael\Mes documents\Professionnel\Travail\Licra\LICRA CH\Charte d'Utrecht\1ere phase\Pr‚paration\~WRL0649.tmp"

Finished!



HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 22:04:59, on 02.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\timoty.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\PROGRA~1\Dell\LOGICI~1\BTSTAC~1.EXE
C:\Program Files\Highjack\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#8 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 02 December 2007 - 10:43 PM

mic,
-----------------------------------------------------------
Set Your Computer to Show All Files
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck Hide protected operating system files (recommended).
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries that are present:
(Some of these lines may be missing)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerh...sues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\msanton.exe
C:\Windows\System32\timoty.exe
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
REBOOT INTO NORMAL MODE
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:

Quote

cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. We will add additional items to it in the next step.

Also using Start->Run, copy/paste the following command into the box and press OK:

Quote

cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis.
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of look.txt from your desktop.

askey127
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#9 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 03 December 2007 - 10:05 AM

View Postaskey127, on Dec 2 2007, 10:43 PM, said:

mic,
-----------------------------------------------------------
Set Your Computer to Show All Files
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck Hide protected operating system files (recommended).
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries that are present:
(Some of these lines may be missing)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerh...sues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\msanton.exe
C:\Windows\System32\timoty.exe
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
REBOOT INTO NORMAL MODE
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:

A file called look.txt should appear on your Desktop. We will add additional items to it in the next step.

Also using Start->Run, copy/paste the following command into the box and press OK:

A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis.
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of look.txt from your desktop.

askey127

askey127,

Okay, I could show all the files and extensions; I also could remove all entries in HJT (all were present). However, when I run your look.txt command, nothing happens (except for a brief MS-DOS-like box which opens for 1/10 of a second). I tried to search for the look.txt file, with no results. Was I supposed to replace %userprofile% with my account on my computer? If so, do I keep the "%"?

By the way, should I connect directly with my computer, or would it be safer to use another computer to connect to the internet et and post on this forum, while keeping the other (infected) computer unconnected? If so, can I transport my logs through a USB key, or could it also get infected?

Thanks for your help!

mic

#10 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 03 December 2007 - 10:41 AM

My fault. The quotes didn't show up correctly.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"

Also using Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.

If you don't see it, do a search for it.
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#11 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 03 December 2007 - 10:58 AM

View Postaskey127, on Dec 3 2007, 10:41 AM, said:

My fault. The quotes didn't show up correctly.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"

Also using Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "startup.exe" >> "%userprofile%\desktop\look.txt"
A file called look.txt should appear on your Desktop. Please post the contents of this file.

If you don't see it, do a search for it.

Hello askey127!

Actually, the command you gave me is the same as the one in the previous post. I nevertheless tried your new command, but with no results (I searched it as well).

The previous one:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"
The new one:
cmd /c dir C:\*.* /L /A /B /S|Find "setings.exe" >> "%userprofile%\desktop\look.txt"

Do I have to correct userprofile?

mic

#12 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 03 December 2007 - 11:16 AM

Do searches for setings.exe and startup.exe and tell me where they are, if they show.
Notice the spelling "setings.exe"

And Post a new HJT log. You can post from the "infected" computer.
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#13 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 03 December 2007 - 12:16 PM

View Postaskey127, on Dec 3 2007, 11:16 AM, said:

Do searches for setings.exe and startup.exe and tell me where they are, if they show.
Notice the spelling "setings.exe"

And Post a new HJT log. You can post from the "infected" computer.

Hello askey127,

setings.exe is located in (in case: "démarrer" and "démarrage" mean "start"):
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage
The search function also finds (when I type setings.exe):
SETINGS.EXE-00441AB6.pf (located in C:\WINDOWS\Prefetch)
backup-20071203-093116-204-setings.exe (located in C:\Program Files\Highjack\backups)

startup.exe cannot be found. The files that search finds are:
STARTUP.EXE-37ACFE15.pf (located in C:\WINDOWS\Prefetch)
backup-20071203-093136-376-startup.exe (located in C:\Program Files\Highjack\backups)

Also, the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:04:28, on 03.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Logiciel Bluetooth\BTTray.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Dell\Logiciel Bluetooth\btsendto_explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Highjack\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TVAgent WiFi] C:\Program Files\Bluewin\Netopia_Router\Wizard\Agent_Wifi.exe
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{781354D9-D803-432B-9948-04C9570715B3}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Logiciel Bluetooth\bin\btwdins.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#14 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 03 December 2007 - 03:37 PM

mic,
good work so far.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.

C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage\setings.exe
C:\WINDOWS\Prefetch\SETINGS.EXE-00441AB6.pf
C:\WINDOWS\Prefetch\STARTUP.EXE-37ACFE15.pf

In case a file is shown without the location, use Find (F3) or Start, Search, enter the filename, and Delete the file, if present.
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
You do not need to delete any entries in the HiJackThis Backup folder.
-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Download Blacklight from here:
http://www.f-secure....ecurity_center/
Under "Downloads", click on Blacklight and Save it to your Desktop
or
Link to it from the ftp site: ftp://ftp.f-secure.c.../tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:

Quote

"%userprofile%\desktop\fsbl.exe" /expert
Accept the license agreement.
Click > scan, wait for it to fimish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt
So we are looking for the Blacklight log fsbl.xxxxxxx.log and the KAV.txt file contents in your next post, along with any other notes you have.
askey127
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#15 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 03 December 2007 - 06:28 PM

Hello askey127,

Thanks!

I managed to use your commands for the look.txt file! Simple issue of windows in a different language (desktop is "bureau" on my computer). I attached the log below (although it has probably no use for you now anymore).

I deleted the three files. I noticed a file called TIMOTY.EXE-09857EDC.pf in the C:\WINDOWS\Prefetch folder (I thought I might tell you that, as you told me to delete a timoty.exe file earlier). No problem with the CCleaner procedure. Blacklight didn't find anything (as far as I know). However, the KAV found a lot fo infected files. I noticed that most of the infected files were located in the "system volume information" folder, if that's of any help for you.

Also, the warning message (which was something like "Warning unauthorized spyware etc.") disappeared. Moreover, I have the feeling that the whole computer is a bit faster (i.e., less slow) now. However, I still have no control over the task manager nor control panel (although I haven't restarted my computer since).

Here are the logs:

Look.txt
c:\program files\highjack\backups\backup-20071203-093116-204-setings.exe
c:\program files\highjack\backups\backup-20071203-093136-376-startup.exe

Blacklight (fsbl-20071203161227.log)

12/03/07 16:12:27 [Info]: BlackLight Engine 1.0.67 initialized
12/03/07 16:12:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/03/07 16:12:27 [Note]: 7019 4
12/03/07 16:12:27 [Note]: 7005 0
12/03/07 16:12:31 [Note]: 7006 0
12/03/07 16:12:31 [Note]: 7022 0
12/03/07 16:12:31 [Note]: 7011 368
12/03/07 16:12:31 [Note]: 7026 0
12/03/07 16:12:32 [Note]: 7026 0
12/03/07 16:12:35 [Note]: FSRAW library version 1.7.1024
12/03/07 16:27:58 [Note]: 2000 1012
12/03/07 16:28:13 [Note]: 7007 0



KAV
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 03, 2007 6:21:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/12/2007
Kaspersky Anti-Virus database records: 471044
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 76961
Number of viruses found: 4
Number of infected objects: 149
Number of suspicious objects: 0
Duration of the scan process: 01:49:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\michael\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\michael\Bureau\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\michael\Bureau\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\michael\Bureau\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\michael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Historique\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Historique\History.IE5\MSHist012007120320071204\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\michael\ntuser.dat Object is locked skipped
C:\Documents and Settings\michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Highjack\backups\backup-20071203-093116-204-setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Program Files\Highjack\backups\backup-20071203-093136-376-startup.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0013885.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0013886.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0013887.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0014881.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0014882.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0014883.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015122.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015123.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015124.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015272.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015273.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015274.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015440.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015442.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015444.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015607.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015608.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0015610.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0016601.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP100\A0016602.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0018913.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0018914.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0018915.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019068.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019069.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019070.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019237.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019238.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019239.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019393.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019395.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019396.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019544.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019545.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019546.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019718.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019719.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019720.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019880.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019881.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0019882.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020039.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020040.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020041.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020199.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020200.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP101\A0020201.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021202.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021203.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021204.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021358.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021359.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP102\A0021360.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021655.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021656.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021657.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021818.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021819.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021820.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021977.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021978.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0021979.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022129.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022130.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022131.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022328.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022329.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022330.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022481.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022482.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022483.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022638.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022639.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022640.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022790.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022791.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022792.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022945.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022946.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0022947.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0023097.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0023098.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP103\A0023099.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023388.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023389.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023390.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023537.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023538.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023539.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023736.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023737.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023738.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023884.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023885.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023886.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023916.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023918.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0023920.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024068.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024069.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024070.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024371.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024374.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024375.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024390.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024391.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\A0024392.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP104\change.log Object is locked skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013420.exe Infected: Trojan-Dropper.Win32.Agent.cpt skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013426.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013427.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013428.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013433.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013435.exe Infected: Trojan-Dropper.Win32.Agent.cpt skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013438.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013439.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013440.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013441.dll Infected: Backdoor.Win32.Small.ccj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013442.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013445.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013446.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013452.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013453.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013454.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013463.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013464.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013465.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013471.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013472.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013473.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013484.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013485.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013487.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013493.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013494.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013495.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013506.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013507.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013509.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013523.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013524.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013525.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013567.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013568.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{2D081E92-40B0-4D11-86A6-AF667022EB05}\RP99\A0013569.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{58CE3B28-E03E-46ED-9BEE-F408247F36FD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6d8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\unp197883336.tmp Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#16 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 03 December 2007 - 07:51 PM

mic,
Looking lots better.

Go ahead and delete that file TIMOTY.EXE-09857EDC.pf in the prefetch folder
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous Restore points, including those likely to be infected, and a new Restore Point will be established..
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
If you are not prompted to reboot, do it on your own.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The Disable/Re-enable System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Reset Options in CCleaner for Regular Use.
Open CCleaner if it's not already running.
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. Then under Internet Explorer, Uncheck "History". In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Check Only delete files in Windows Temp folders older than 48 hours.
  • Set CCleaner to Run When Computer Starts. Click on the Options block on the left, then choose Settings. Check Run CCleaner when computer starts.
-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Please post the contents of CCleaner's install.txt

If this line in your HiJackThis log implies what I think it does, please heed my initial warning about account number/password risks.
O4 - HKCU\..\Run: [UBSShell] C:\Program Files\UBS e-banking\UBS Shell\UBSShell.exe Hidden

askey127
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#17 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 03 December 2007 - 08:35 PM

Thanks askey127!

Small problem: I can't access the properties of My Computer (nor can I access the control panel). I tried to look around on Vilma to remove the thing, but I don't know where to look and wouldn't like to do a mistake. Can you tell me how I could access to My Computer's properties?

mic

#18 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 03 December 2007 - 10:35 PM

See if you can open the dialog -
Go to Start, Run and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and CHECK "Turn Off System Restore On All Drives"
Then REBOOT
After the REBOOT, Go to Start, Run again and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and UNCHECK "Turn Off System Restore On All Drives"
Then REBOOT
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

#19 OFFLINE   mic

    Member

  • Members
  • PipPip
  • 18 posts

Posted 03 December 2007 - 11:32 PM

View Postaskey127, on Dec 3 2007, 10:35 PM, said:

See if you can open the dialog -
Go to Start, Run and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and CHECK "Turn Off System Restore On All Drives"
Then REBOOT
After the REBOOT, Go to Start, Run again and type:
control sysdm.cpl
If the dialog comes up, click on the System Restore tab and UNCHECK "Turn Off System Restore On All Drives"
Then REBOOT

I still get the same message telling me that this operation has been restricted.

#20 OFFLINE   askey127

    Advanced Member

  • Members
  • PipPipPip
  • 108 posts
  • Gender:Male
  • Location:New Hampshire, US

Posted 04 December 2007 - 11:47 AM

mic,
You do have a lot of infected files saved in old System Restore Points.
Be SURE that you do NOT Restore to a previous point until we can delete those "Restore backups"
The disable/re-enable sequence we are trying to perform will erase all those infected files.

Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer and see whether you can perform the System Restore Disable/Re-enable sequence.

If that doesn't work, we have other tools at our disposal to regain your privileges.
askey127
Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell