Results 1 to 7 of 7

Thread: CoolWWWsearch and secure32.html

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    3

    Default CoolWWWsearch and secure32.html

    Hi everybody,
    My apologies if this problem has been previously displayed in this forum, but I am a little bit tired to try successively various olutions.
    I got infected with both CoolWWWsearch (according to Spybot findings) and secure32.html
    All of the disinfecting processes I tried were found inefficient. The spies regenerate automatically
    Here is below the Hijack log of my system.
    10x alot for the help.
    Have a Happy New Year !
    Cheers.
    Hamilcar Barca
    ---------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 14:48:40, on 29/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\WINDOWS\winfile.exe
    Z:\zip\antispyware\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\Texthelp Systems\ReadAndWrite7\thhtmlbho.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - Global Startup: Lancement rapide d'Adobe Acrobat.lnk = ?
    O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166795930187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: Domain = ups-tlse.fr
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: NameServer = 195.220.59.6,195.220.59.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: Domain = ups-tlse.fr
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: NameServer = 195.220.59.6,195.220.59.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: Domain = ups-tlse.fr
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: NameServer = 195.220.59.6,195.220.59.2
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hello Hamilcar and welcome to the forum, where did you find this nasty junk? Are you in France?
    http://whois.domaintools.com/195.220.59.6

    I see this junk: O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe and Thunder scanned it at CastleCops:
    http://www.castlecops.com/p874082-au...nguardian.html

    I also need to find out if this is safe: C:\WINDOWS\winfile.exe
    Use one or more of these free online scans and post the results for me to view:
    http://virusscan.jotti.org/
    http://www.kaspersky.com/scanforvirus
    http://www.virustotal.com/flash/index_en.html
    Careful not to do anything with it until we look, it may well be a needed, valid file.

    I will need you to read and follow these instructions:
    "BEFORE you POST" -Preliminary Steps
    http://forums.spybot.info/showthread.php?t=288
    Which are posted at the top of the forum, follow all directions and post that antivirus scan and a new HJT log. Make sure you move HJT to the C:\ from whatever that is you are running it from (zip?) I would prefer you put it here: C:\HJT\HijackThis.exe. Here are more instructions if you need them.
    http://russelltexas.com/malware/createhjtfolder.htm
    Use "Post Reply" to stay in this same topic.

    I will need those instructions followed to proceed, but I also see Prevx is supposed to remove this one? Here is the link if you would prefer to give the automated tool a try.
    http://fileinfo.prevx.com/fileinfo.asp?PXC=8bbf65667412

    Thanks

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    3

    Thumbs up Reply

    [QUOTE=pskelley;60538]Hello Hamilcar and welcome to the forum, where did you find this nasty junk? Are you in France?

    Yes, I am French. I feel myself ashamed : I use to pay for every soft, and I have probably for more than 15,000 euros of softs in my lab ( I am a scientist). Even my copy of Spybot was paid :-) But I had to test a very expansive soft and, before to purchase it, I did an attampt with a keygen... that was not a keygen, but a malware installer.
    A very good lesson, indeed

    I see this junk: O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe and Thunder scanned it at CastleCops:
    http://www.castlecops.com/p874082-au...nguardian.html

    PSkelley, you're great !
    I looked for this damned autosys.exe in another machine, the config of which was very similar to the infected one. Nothing !
    So I swept off this exe, along with the corresponding key, and all was fixed. Spybot cleaned up the secure3é.html occurrences.
    Thanks alot, my friend !

    I also need to find out if this is safe: C:\WINDOWS\winfile.exe

    I am surprised you didn't know about it: it is the old filemanager from WinNT 4.0. I love it and I still use it.

    PSkelley, have a Happy New Year !

    Hamilcar Barca

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hello Hamilcar, good job with the removal, if you wish me to look at a HJT log to be sure it is gone, post one.
    I am surprised you didn't know about it: it is the old filemanager from WinNT 4.0. I love it and I still use it.
    I have not used the item, and I saw the Google indicated it was probably safe, but hackers call there junk anything they want to so I thought it best to be safe and check it.

    If you are back to normal, I will suggest you clean your System Restore files:
    System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    I'll even toss in a nice freeware tool to clean with if you are interested.
    http://forums.security-central.us/showthread.php?t=1925

    I have no French so here is my best attempt:
    Ayez un jour splendide et une nouvelle année heureuse

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.

  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    3

    Default

    Hello Hamilcar, good job with the removal, if you wish me to look at a HJT log to be sure it is gone, post one.

    Thanks for the approval. You have the log below (HJT was used according to your previous instructions)
    ---------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 13:55:42, on 31/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\RegCleaner\RegCleanr.exe
    C:\WINDOWS\winfile.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\Texthelp Systems\ReadAndWrite7\thhtmlbho.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166795930187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: Domain = ups-tlse.fr
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: NameServer = 195.220.59.6,195.220.59.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: Domain = ups-tlse.fr
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: NameServer = 195.220.59.6,195.220.59.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: Domain = ups-tlse.fr
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2C4A2A7C-E820-404F-B4F5-8D0F00DEA1C0}: NameServer = 195.220.59.6,195.220.59.2
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    -----------------------------------------------------------------
    If you are back to normal, I will suggest you clean your System Restore files:
    System Restore does not know the good files from the bad
    .

    Interesting. I use to turn off System Restore in all of my computers, whatever the OS (2003 server used as workstation or server, or XP). This stuff puts the system to idle.

    I'll even toss in a nice freeware tool to clean with if you are interested.
    http://forums.security-central.us/showthread.php?t=1925
    [/I]

    Great. I download it immediately.

    I have no French so here is my best attempt:


    Eveything happens one day !

    Ayez un jour splendide et une nouvelle année heureuse

    Same for you, partner ! I feel the weather is better in Florida than in SW France :greeting

    Hamilcar Barca (aka Jean-François)

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    System Restore: We who have to rely on System Restore at times when dealing with a badly infected computer have come to the conclusion that a bad Restore Point is better that no Restore Point at times.

    This is more cosmetic than malware removal, if your Norton or any other program prompts you, make sure you allow the change.

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Safe surfing

    Clearwater, Florida:
    Sun 81° | 67° Mon 76° | 60° Tue 72° | 60° Wed 74° | 62°

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Glad we could help, as the problem appears to be resolved this topic has been archived.

    If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

    Anyone else with similar problems please start a new topic.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •