PDA

View Full Version : possible smitfraud problem



xtophe
2007-02-03, 22:45
Hello,

I am new to this forum, I detect a possible smitfraud problem on my computer and I am triying to get rid of it.
could anyone help me out?
thanx

I have run a hijack this, and here is the log:



Logfile of HijackThis v1.99.1
Scan saved at 21:39:53, on 03/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\trdihwfv.dll",setvm
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Shaba
2007-02-04, 11:49
Hi xtophe

Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)

xtophe
2007-02-04, 17:19
Hello Shabba,

Since yesterday, i have installed demo version of kaspersky who found lots of probleme type: mainly Win32.Sality.l
Cannot add or suppress any programe since my rundll32.exe is accessible.
I am not shure how long I will be able to use this computer, but I am folowing forum on a apple mac.

Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 16:12:51, on 04/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O2 - BHO: (no name) - {D4570042-A7EF-4772-8BC8-6D090F0A5532} - C:\WINDOWS\System32\hgdab.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: hgdab - C:\WINDOWS\System32\hgdab.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Shaba
2007-02-04, 17:22
Hi

If you have sality, let's run first panda online scan:

Please run this online scan:

Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

xtophe
2007-02-05, 01:04
Hello Shaba,

Sory for mispelling your name in my first E-mail.
I did the pand scan, ( it took for ever, and only works using IE)

Here is the Panda report, and fresh HJT log:

PANDA:

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.toplist.cz/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt[.xiti.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.xiti.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.adtech.de/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt[.drivecleaner.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Christophe Chaverou\Bureau\TELECHARGEMENTS\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@atdmt[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@bluestreak[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Christophe Chaverou\Cookies\christophe chaverou@stats1.reliablestats[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Christophe Chaverou\Local Settings\Temp\aaugdshb.dll
Virus:W32/Sality.O Disinfected C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
Virus:W32/Sality.O Disinfected C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

-------------------------------------------------------------------------
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 23:56:43, on 04/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O2 - BHO: (no name) - {D4570042-A7EF-4772-8BC8-6D090F0A5532} - C:\WINDOWS\System32\hgdab.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [Panda_cleaner] C:\WINDOWS\System32\ACTIVE~1\pavdr.exe C:\WINDOWS\System32\pavdr_actions.sys
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: hgdab - C:\WINDOWS\System32\hgdab.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)


thank you,
Xtophe.

Shaba
2007-02-05, 09:24
Hi

Next step is then to update your Windows before we do anything else.

You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=fr (http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&DisplayLang=fr)

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/ (http://www.windowsupdate.com/)

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.

xtophe
2007-02-05, 12:02
Shaba,

I've downloaded the SP1, but the installer failled to install the SP1: "An error occur while assistant tried to download SP1 Files".
I've tried several times without any succes.
I've tried to desactivate Kaspersky. no result.
Tried to find a way to install SP1 without connection to internet as the it was suggested, but without any succes....
What can i do?

xtophe
2007-02-05, 12:24
Shaba,

Since i Have this computer, I have been trying to stay away from using any microsoft programs, I use Mozilla as a navigator, not IE and I have run win anti-spy witch turns off outlook , msn etc ... This is probably why i have never done any updates ...
I am saying this because while trying to do the update as you suggested, but without succes for some odd reason, it seams that the service pack1 and windows update will give me the latest versions of these programes wich i do not use....
Is this true? I bet I Am missing something....?

In the same Time, I am still not able to tell you wich version of XP i am running, since
Windows still cannot find rundll32.exe and does not allow me to use control panel and stop the acces to other informations ....

xtophe
2007-02-05, 15:26
Shaba,

After reboot, I was able to install Sp1a and download and install all windows update.
After reboot, I know have a pure blue screen only after login??/?
The only tool that seam to work is the task manager wich alowed me to run a fresh HJT and open a firefox window for me to send you this thread.
Please help!!!

Here is the fresh HjT log:

Logfile of HijackThis v1.99.1
Scan saved at 14:19:13, on 05/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Shaba
2007-02-05, 17:58
Hi

As for rundll32.exe, try to download it from here (http://www.spywareinfo.com/~merijn/files/windows/rundll32_xp.zip) and unzip it to C:\windows\system32.

Control panel shoud work after that.

Also, do this:

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

xtophe
2007-02-05, 19:01
Shaba,

For information, i do not have acces to my desktop ... my screen is blue and no windows or menu or icon are visible, the only acces i have is through the task manager window.

I have downloaded the rundll32.exe but am not able to unzipit to C:/windows/system32/ I get this message:
Impossible to find rundll32.exe, this program is needed to complete ....

I have downloaded vundo and run it fine.
you will fond below the vundofix.txt and new HJT log

VUNDO:


VundoFix V6.3.5

Checking Java version...

Java version is 1.4.2.6

Scan started at 17:40:39 05/02/2007

Listing files found while scanning....

C:\WINDOWS\System32\badgh.bak1
C:\WINDOWS\System32\badgh.bak2
C:\WINDOWS\System32\badgh.ini
C:\WINDOWS\System32\badgh.ini2
C:\WINDOWS\System32\badgh.tmp
C:\WINDOWS\System32\gatwewfn.dll
C:\WINDOWS\System32\hgdab.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\badgh.bak1
C:\WINDOWS\System32\badgh.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.bak2
C:\WINDOWS\System32\badgh.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.ini
C:\WINDOWS\System32\badgh.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.ini2
C:\WINDOWS\System32\badgh.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\badgh.tmp
C:\WINDOWS\System32\badgh.tmp Has been deleted!

Attempting to delete C:\WINDOWS\System32\gatwewfn.dll
C:\WINDOWS\System32\gatwewfn.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgdab.dll
C:\WINDOWS\System32\hgdab.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 18:01:30, on 05/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - C:\WINDOWS\System32\hgdab.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll (file missing)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

xtophe
2007-02-05, 19:17
Shaba,
I have been able to unzip the file to proper location throught.
Still no desktop thought or acces to control panel...
let me know the next step.
Thank you again for helping me out,
greatly appreciated.
Xtophe.

Shaba
2007-02-05, 19:43
Hi

Can you do this?

Go to task manager, there file> new task> explorer> ok

And tell if it helped :)

xtophe
2007-02-05, 20:13
Shaba,

I cannot get to it and i don't have acces to search fonction.
Do you know the path to explorer?
I've tried in C:/Programfiles
and in C:/Windows/
But it is to vast to explore for me!!!
thanx again for tips.

Shaba
2007-02-05, 20:30
Hi

I think that explorer.exe might could have been infected with sality and that's why may not exist :(

Try these (http://support.microsoft.com/kb/170907) instructions (from If there is a Windows 95 version of the Explorer.exe file in the Windows NT folder, follow these steps:
Step 5. isn't necessary)

Did it help?

xtophe
2007-02-05, 21:58
Shaba,

Does not help, I am not able to find any explorer file, neither do I have a c:\winnt folder ...
Or Am I doing anything wrong?

xtophe
2007-02-05, 22:02
Would it help if i was able to find an original WinXP cd ?
I dont have any becaus my computer was setup already when I got it, but i am pretty sure I could find a winXp cd from someone arroud....

xtophe
2007-02-05, 22:31
So I got a cd from my neighbour ...
Let me know what to do?
thanx,
Xtophe

Shaba
2007-02-06, 12:29
Hi

Like I said, follow instructions starting from "If there is a Windows 95 version of the Explorer.exe file in the Windows NT folder, follow these steps:" but not the step 5 :)

xtophe
2007-02-06, 14:04
Hello Shaba,

I am not able to folow direction:
How do I go to the CD-ROM directory?
Cant remenber the dos command
Then how do I expand the explorer.exe and from wich directory since the CD is Win XP and Not Win NT ???
Sory, looks like i need to be taken by the hand here...
Xtophe

xtophe
2007-02-06, 14:07
Sorry for freaking out!

My memory came back and I was able to expand explorer to C:/explorer.exe
So whan I reboot I still have a blue screen and explorer.exe is not runing since it is not where it is suppose to be...
Where and How should i move/copy the file to please?

xtophe
2007-02-06, 14:21
OK I managed to put the explorer.exe file into the c:/Windows folder
Thank you for your patience
Xtophe

Shaba
2007-02-06, 15:52
Hi

Great :)

Do you now have desktop and access to control panel?

xtophe
2007-02-06, 16:02
I do have desktop and access to control panel

xtophe
2007-02-06, 16:20
I am running S S&D, log shows:
VirtuMonde 1 elements
Smitfraud-C.Toolbar888 2 elements

xtophe
2007-02-06, 16:34
here is the entire log from S S&D:

Avenue A.inc 1 eltm
BlueStreak 1
MediaPlex 1
ReliableStats 5
SearchToolbarCorp.ToolbarVision 1
Smitfraud-C.Toolbar888 4
Statcounter 1
VirtuMonde 2
Winsoftware.winAntiVirusPro2006 3

Shaba
2007-02-06, 17:33
Hi

That's great :)

Please send a fresh HijackThis log next.

xtophe
2007-02-06, 17:36
Logfile of HijackThis v1.99.1
Scan saved at 16:34:37, on 06/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - C:\WINDOWS\System32\hgdab.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll (file missing)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Shaba
2007-02-06, 17:39
Hi

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - C:\WINDOWS\System32\hgdab.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll (file missing)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)

Close all windows including browser and press fix checked.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.
For Internet Explorer 4.x - 6.x
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.
For Netscape 4.x and Up
Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.
For Opera
Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:

AVG Anti-Spyware log
A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

xtophe
2007-02-06, 17:44
Logfile of HijackThis v1.99.1
Scan saved at 16:34:37, on 06/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - C:\WINDOWS\System32\hgdab.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\gatwewfn.dll (file missing)
O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\SYSTEM32\ddcyyay.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddcyyay - ddcyyay.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Shaba
2007-02-06, 17:54
Hi

You were supposed to disable TeaTimer (it will prevent fixes) and install & run AVG anti-spyware as stated above and send those reports :) If you don't know how to fix lines, just ask :)

xtophe
2007-02-06, 17:55
I wil follow instruction and proceed as discibe.
Questions Do i need a lot of space on hard drive to perform this?
I only have about 900 MEG free. Will this be enough?

Shaba
2007-02-06, 17:56
Hi

Yes, more than enough :)

xtophe
2007-02-06, 17:59
Sorry Shaba, I've post twice the same HJT Log, computer stall, phone ring ....
I haven't done anything yet, Could you just answer space problem before i proceed?
thanx,
Xtophe

Shaba
2007-02-06, 18:01
Hi

Actually I answered to that question in my previous post :) 900 megs is more than enough for that purpose.

xtophe
2007-02-06, 19:12
I' ve read the instruction. I normaly use mozilla, but for some reason I have not be able to opened it for a while... system is looking for a dll it cannot find! this part as probably been infected and deleted by Kaspersky.
Anyhow, do you know a manual way to clear the cache manualy?

Shaba
2007-02-06, 19:45
Hi

Maybe the easiest way is to uninstall&re-install mozilla; you also try ATF cleaner:

Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop. Don't use it yet.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

xtophe
2007-02-06, 23:02
Hello Shaba,

I was actually able to open Mozilla in safe mode!?
I've followed all your instruction here are the logs:

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:37:26 06/02/2007

+ Scan result:



:mozilla.11:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.12:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.13:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.14:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.87:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.12:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.34:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.35:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.31:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.32:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.50:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.51:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.128:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.17:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.159:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.160:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.219:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Estat : Cleaned.
:mozilla.97:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.71:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.127:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.170:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.171:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.21:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.22:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.276:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.271:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.272:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.273:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Profiles\default\4eu8n7v6.slt\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.61:C:\Documents and Settings\Christophe Chaverou\Application Data\Mozilla\Firefox\Profiles\default.oi5\cookies.txt -> TrackingCookie.Weborama : Cleaned.


::Report end

xtophe
2007-02-06, 23:03
Logfile of HijackThis v1.99.1
Scan saved at 22:03:09, on 06/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Christophe Chaverou\Bureau\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

xtophe
2007-02-06, 23:23
here is the message i get while launching Mozilla:
Application or DLL C:/Program Files/mozilla.org/Mozilla/nspr4.dll is not a valid Window Image

Any idea what's wrong?

Shaba
2007-02-07, 09:18
Hi

I suggest that you uninstall & re-install Mozilla.

You can also download that dll from here (http://www.dll-files.com/dllindex/dll-files.shtml?nspr4) and try it that helps :)

xtophe
2007-02-07, 10:42
Hello Shaba,
I have unninstal and re-instal Mozilla, I'am back on track.
How am I doing now, base on last HJT and AVG logs?
xtophe

Shaba
2007-02-07, 10:47
Hi

Run a scan with your kaspersky antivirus and post its findings here :)

xtophe
2007-02-07, 14:07
Hello Shaba,

Nothing was found by either Kasper or S S&D.
Should I put back Tea Timer on?
Any other recommandation reducing the chance to get infected again?
xtophe.

Shaba
2007-02-07, 17:27
Hi

Great! :)

Yes, you can put it back on.

Do you have any problems?

xtophe
2007-02-07, 18:48
Hello Shaba,

I do have one remaining pb, but maibe not related:
I am using a Tablet (wacom) it does not quite work like it use to. I have been trying to install a new driver for it but without any succes:
When i tried to install new driver, computer tel me there is already a tablet driver!
When i tried into the control panel to adjust tablet settings, computer complain it can't find the tablet driver.
I have been trying to uninstall tablet software using panel control without any succes.

Aside from this. kaspersky just gave me a message that I should restaure explorer.exe that was in quarantine!!! I did not restaure it.

More General question about anti-virus.
Which one to use ? I only have kaspersky untill the end of the month.

Appreciate your answer.
thank you,
Xtophe.

Shaba
2007-02-07, 19:37
Hi

Sorry, I don't think I can help with issue :sad:

Kaspersky one of the best AVs, so I recommend to keep it.

Don't restore explorer.exe from quarantine; it might be infected.

You're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install SP2, too.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

xtophe
2007-02-07, 20:12
Dear Shaba,

I shall thank you warmly for guiding me throught all the steps to cleanup my computer infection.
I will follow your instruction for reducing the chance to get infected again.

Best regards,

Xtophe.

Shaba
2007-02-07, 20:17
Hi

You're welcome; it was my pleasure to help :)

Shaba
2007-02-09, 19:59
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.