View Full Version : smitfraud-c.toolbar888... oh yesss
Rollmops17
2007-01-12, 01:54
Hi every body!
... it seems i'm not alone to suffer from this f*** smitfraud-c.toolbar888. HELP!
I read a few of the previous posts on this subject.
I scanned my computer with spybot, but of course in didn't fix the problem. Then i scanned my computer with Hijackthis, smitfraudfix and Vundofix (who didn't find any problem !!!!???)
Here are the logs:
1. HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 0:13:15, on 12/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\WF2K.EXE
C:\WINDOWS\system32\secvqims.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\vssmnptc.exe
C:\WINDOWS\system32\sdmvdlxe.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\CL\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [mlibsysmc] secvqims.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [mlibsysmc] secvqims.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ymmsddlop] C:\WINDOWS\system32\vssmnptc.exe
O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\system32\sdmvdlxe.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A273AF6B-643E-4A19-A18B-549BA3A53D41}: NameServer = 195.238.2.22 195.238.2.21
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
2. SMITFRAUDFIX
SmitFraudFix v2.132
Scan done at 0:14:10,79, ven. 12/01/2007
Run from C:\Documents and Settings\Cedric Lobelle\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\CL
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\CL\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CEDRIC~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
pe386 detected, use a Rootkit scanner
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
That's it. I know you all have a lot of work like this, but, Obi Wan Kenobi, you're our only (or last?) hope...
Hi Rollmops17 and welcome to the Forums :bigthumb:
You got infections....
Download RustBFix from one of the following locations...
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
Rollmops17
2007-01-14, 14:55
Hi Mr_JAk3
Thanks for your help!!!
Here the logs you asked:
AVENGER:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\plfjkhtq
*******************
Script file located at: \??\C:\WINDOWS\gfbakdmc.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
PELOG:
************************* Rustock.b-fix -- By ejvindh *************************
dim. 14/01/2007 13:46:25,81
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70550
Total size: 70550 bytes.
Attempting to remove ADS...
system32: deleted 70550 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile ********************************
HIJACKTHIS:
Logfile of HijackThis v1.99.1
Scan saved at 13:51:35, on 14/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\WF2K.EXE
C:\WINDOWS\system32\secvqims.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\vssmnptc.exe
C:\WINDOWS\system32\sdmvdlxe.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Cedric Lobelle\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [mlibsysmc] secvqims.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [mlibsysmc] secvqims.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ymmsddlop] C:\WINDOWS\system32\vssmnptc.exe
O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\system32\sdmvdlxe.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A273AF6B-643E-4A19-A18B-549BA3A53D41}: NameServer = 195.238.2.22 195.238.2.21
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok good :)
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\secvqims.exe
Click on Send
Wait for the scan to end.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\vssmnptc.exe
Click on Send
Wait for the scan to end.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\sdmvdlxe.exe
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Then we'll get you cleaned :bigthumb:
Rollmops17
2007-01-15, 01:20
My hero...:heart:
Here they are!
Hope this will come to an end... ;-)
secvqims.exe:
STATUS: FINISHEDComplete scanning result of "secvqims.exe", received in VirusTotal at 01.15.2007, 00:01:01 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 TR/Crypt.PCMM.Gen
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.14.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.14.2007 no virus found
DrWeb 4.33 01.14.2007 BackDoor.IRC.Sdbot.986
eSafe 7.0.14.0 01.14.2007 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.14.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 suspicious
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.14.2007 no virus found
NOD32v2 1978 01.14.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.14.2007 W32/Sdbot.JGO.worm
Prevx1 V2 01.15.2007 Dropper.Payload
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 VIPRE.Suspicious
TheHacker 6.0.3.148 01.14.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.14.2007 suspected of Backdoor.Hupigon.141 (paranoid heuristics)
VirusBuster 4.3.19:9 01.14.2007 Worm.Akbot.Gen!Pac1
vssmnptc.exe:
STATUS: FINISHEDComplete scanning result of "vssmnptc.exe", received in VirusTotal at 01.15.2007, 00:07:50 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.14.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.14.2007 no virus found
DrWeb 4.33 01.14.2007 BackDoor.Mailbot
eSafe 7.0.14.0 01.14.2007 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.14.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 suspicious
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.14.2007 no virus found
NOD32v2 1978 01.14.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.14.2007 Suspicious file
Prevx1 V2 01.15.2007 Polynomial.Code.Exploit
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 VIPRE.Suspicious
TheHacker 6.0.3.148 01.14.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.14.2007 suspected of Backdoor.Hupigon.141 (paranoid heuristics)
VirusBuster 4.3.19:9 01.14.2007 Worm.Akbot.Gen!Pac1
sdmvdlxe.exe:STATUS: FINISHEDComplete scanning result of "sdmvdlxe.exe", received in VirusTotal at 01.15.2007, 00:11:05 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.14.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.14.2007 no virus found
DrWeb 4.33 01.14.2007 Trojan.Spambot
eSafe 7.0.14.0 01.14.2007 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.14.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 suspicious
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.14.2007 no virus found
NOD32v2 1978 01.14.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.14.2007 Trj/Spammer.ZG
Prevx1 V2 01.15.2007 Dropper.Payload
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 VIPRE.Suspicious
TheHacker 6.0.3.148 01.14.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.14.2007 Trojan.Spambot
VirusBuster 4.3.19:9 01.14.2007 Worm.Akbot.Gen!Pac1
Hi again :)
There is one thing you need to know:
One or more of the identified infections is an active backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.
Please let us know what you have decided to do in your next post :bigthumb:
Rollmops17
2007-01-15, 22:46
:trample:
Pffffffffff
I prefer clean at first and then i'll see. I'll take the risk. And i've nothing confidential on my computer.
My Comodo firewall did block those f**** shits from attempting to join internet, so I hope they didn't do any harm.
Ok, i'm ready for the next level!
Thanks a lot, anyway!
Hi again, we'll continue then :)
Only a few scanners detected the malware files...I would like you to upload those for further inspection.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\secvqims.exe
Click "Browse" on the 2. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\vssmnptc.exe
Click "Browse" on the 3. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\sdmvdlxe.exe
In the comments, please mention that I asked you to upload this file
Click on Send File
Thank you, we'll get you cleaned then :bigthumb:
=====================
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Create a new folder for HijackThis and move HijackThis.exe into it.
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
secvqims.exe
vssmnptc.exe
sdmvdlxe.exe
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [mlibsysmc] secvqims.exe
O4 - HKLM\..\RunServices: [mlibsysmc] secvqims.exe
O4 - HKCU\..\Run: [ymmsddlop] C:\WINDOWS\system32\vssmnptc.exe
O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\system32\sdmvdlxe.exe
O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\vssmnptc.exe
C:\WINDOWS\system32\sdmvdlxe.exe
C:\WINDOWS\system32\secvqims.exe
C:\WINDOWS\SYSTEM32\winmqx32.dll
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Rollmops17
2007-01-16, 19:27
Done! :)
Ok here is the hijackthis log
HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 18:05:55, on 16/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\WF2K.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\sdmvdlxe.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cedric Lobelle\Desktop\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\system32\sdmvdlxe.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Rollmops17
2007-01-16, 19:30
AVG report
(note its in french)
nettoyé = cleaned
sauvegardé = saved
mis en quarantaine = quarantined
---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------
+ Créé à: 18:01:10 16/01/2007
+ Résultat de l'analyse:
C:\WINDOWS\system32\winmqx32.dll -> Proxy.Agent.lu : Nettoyé et sauvegardé (mise en quarantaine).
:mozilla.138:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.139:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.213:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.214:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.223:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.227:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.228:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.261:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.96:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.97:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Clickzs : Nettoyé.
:mozilla.217:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.315:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Euroclick : Nettoyé.
:mozilla.119:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Information : Nettoyé.
:mozilla.166:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Masterstats : Nettoyé.
:mozilla.266:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Pointroll : Nettoyé.
:mozilla.273:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Pointroll : Nettoyé.
:mozilla.274:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Pointroll : Nettoyé.
:mozilla.293:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Pointroll : Nettoyé.
:mozilla.105:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.106:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.107:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.108:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Serving-sys : Nettoyé.
:mozilla.229:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.230:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.231:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.232:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.233:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.235:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.236:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.246:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.247:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.248:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.249:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.250:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.251:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.252:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.253:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.254:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.255:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.256:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.257:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.259:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sexcounter : Nettoyé.
:mozilla.84:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Sitestat : Nettoyé.
:mozilla.41:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.
:mozilla.43:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.
:mozilla.44:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Smartadserver : Nettoyé.
:mozilla.88:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Statcounter : Nettoyé.
:mozilla.115:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Tacoda : Nettoyé.
:mozilla.116:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Tacoda : Nettoyé.
:mozilla.294:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.298:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.304:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.305:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.306:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.318:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.319:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Yieldmanager : Nettoyé.
:mozilla.14:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Zedo : Nettoyé.
:mozilla.15:D:\Documents and Settings\clobelle\Application Data\Mozilla\Firefox\Profiles\ajlhm5yt.default\cookies.txt -> TrackingCookie.Zedo : Nettoyé.
Fin du rapport
Hi again :)
One of the files doesn't want to die...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
sdmvdlxe.exe
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\system32\sdmvdlxe.exe
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
Open HijackThis.
Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the filenamebox and press Open; C:\WINDOWS\system32\sdmvdlxe.exe
Answer Yes
Reboot the computer if it isn't restarted automatically
Scan again with HijackThis and post the logfile to here :bigthumb:
Rollmops17
2007-01-17, 20:48
ok
done
hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 19:44:14, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\WF2K.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Cedric Lobelle\Desktop\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
I hope those things are DEAD, right now! ;-)
Seems dead now :D:
But because you'were badly infected, we'll run one more scanner just in case...
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Rollmops17
2007-01-18, 02:25
It seems ok!!!:D: :flowers: :beerbeerb:
Yeeepeeeeeeeee!
Thanks a lot, Mr_JAk3 ! ! ! !
The post, just to be sure.....
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 18, 2007 1:21:05 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/01/2007
Kaspersky Anti-Virus database records: 259207
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 42852
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:34:24
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Local Settings\History\History.IE5\MSHist012007011820070119\index.dat Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Local Settings\Temp\~DF2121.tmp Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cedric Lobelle\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9A1C2470-CC98-427A-A0D4-3C7EACDFE000}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_590.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)