Ile_de_man
2008-07-14, 16:27
Hi,
With Internet Explorer, I have a pop-up window whenever I use any shopping sites during the checkout phase. It brings up a window asking for the card details and ATM pin.
I have run Spybot but there are no problems detected.
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17:58, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Protection PC\Tracks Eraser Pro\te.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Protection PC\HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favoris
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Internet Explorer\Netcraft Toolbar\nctb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Protection PC\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Télécharger avec Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.zebulon.fr/scan8/oscan8.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_2_0_4_13.cab
O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.fr/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9A298E5-7642-4D3B-86AA-2EADC6CF8859}: NameServer = 212.27.54.252,212.27.53.252
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Protection PC\Tracks Eraser Pro\autocomp.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5406 bytes
shelf life
2008-07-20, 01:30
hi Ile_de_man,
your doing the right thing, dont supply any information until we check for malware. lets start with sdfix, runs in safe mode. I see you have NOD32 for antivirus, i dont see a resident anti-malware app. we will get one later.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Ile_de_man
2008-07-30, 22:43
I opened the post http://forums.spybot.info/showthread.php?t=30954 but the infected computer is at my parent's and it's very difficult for me to answer fast because I not live near to them
as recommended, this is the SDfix log:
SDFix: Version 1.210
Run by propri‚taire on 30/07/2008 at 20:36
Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\Temp\ed47fa.$ - Deleted
Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector (http://www2.gmer.net/mbr/mbr.exe) by Gmer or CureIt (http://www.freedrweb.com/cureit) by Dr.Web
Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 21:00:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:cc,4c,7b,aa,97,39,5c,1a,1b,12,5b,6f,66,81,f9,41,ac,63,9f,f0,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:3d25ff28
"s2"=dword:90398163
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:cc,4c,7b,aa,97,39,5c,1a,1b,12,5b,6f,66,81,f9,41,ac,63,9f,f0,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:cc,4c,7b,aa,97,39,5c,1a,1b,12,5b,6f,66,81,f9,41,ac,63,9f,f0,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:cc,4c,7b,aa,97,39,5c,1a,1b,12,5b,6f,66,81,f9,41,ac,63,9f,f0,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:cc,4c,7b,aa,97,39,5c,1a,1b,12,5b,6f,66,81,f9,41,ac,63,9f,f0,7d,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="B80386778A532BA1C7F3A8CFE1CBDB87CDBE0864C0CD97AC90BD240E8AE1B5A8DDBB71D8D9F7AC4C2F
1490E16AA64F61DB1512FE193A9BC35DBA4F41689797C01F3550391EEA404F6447401E6DA90D15396479B031E3F4B96FB414FBB6DE1687BB5514E
4968E5D66D1759AFCA0CECA1E963B303C5A76BAE6627F16717EBBC9D457D3339725D9BB0541DE06EAE19F0429887DADDB88B54A57B143FD48EF4
290AEF63E270751595B4FE2136DC7AFBEF79987606EBC55F44349C0F977975B1E0B5384756DD8462B7E1E4879FEBC9E127BECC74CFEBC9E127BEC
C74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A9C6AECB7A5D140
7FEBC9E127BECC74CD1B64B047B67CA95D2F29F770A38B4BBC16A5203522119FDC7A8985F92BAB50AA58423EA61218A551C6734DC9D2C3FF1DFE
C4B456C6E9239234D5FDCC80C5E43A69A2B261DE0A931E64D035DFBF14CC2CDA244BA51B420C27BC44FFE3CA1C23B9ACA8CD86899E9014A8410
127D1A470C9297B9109AC2F49DE8E8FAA66B267F3A4ADB95B8C0F4F1F3606001A2416AFE7FB7CA4C05A719AA1F06851DC99478165B8187B90F654
D4C88C5A62351A8DCA522CC323EEC1D70BCF3745C11F0BC2D6B0F91FA0C3CDB3566149C936270DA1ED44FE4B377B1DF320B995523D9B8AB8B4A9
74E5AC8306E7113400B5654E5411086B395AC06CE9DFD5BE2D1809A53EC8F5F8F91B9CBF22A79880AB9102E2F8AC81BD079EC1755C3A5D5779515
9B87D266BBDFB623191E5F796240D5D9CB5A2910557DB0B801E805AE06D14FEE4CAA6E7655C91F9654DEA2D29D09923DAB0BD1E65BE1DBC63A41D
9D45DBF34943C2E1BD605613004C97ACF1A9D5D253B70F87F7ABBFC24455E2CFD862FE57BFD9F11F2D0888D51D1E5C30217A70AC64561ED71B363
A1B1522E086E66B4B85F1A50E8D566010B6E5B3BA799C6E72E35C1694AA8AAA67334828DCAEECA0A05A0C64BDE69CA74E77B6DFD23BD596BC1320
D9681EA2C3C6D5EDD84FB883EAF6882DCB1B09563CB0AE8C98AC75734A38A04761D9A433CBF5C67E03E3704FE8A55CD22C630854ED42833A65DBE
1270692673BF53317E0E3263097B0BAD727F6194CCD574C0AA59BFCCD4AF99BE5FD7F586CEA0B473B08C74778191DEA4A5E6E2BE5027C8DD370A23
D9CD80839875ECE76E6644DE26AF535062957B51F1B48F9DC3AB3C7293A5957803A4AD85AD4D64C0F811C9951F14366E4209041E03FB07076635AE
470331E81D4EE13A2E742426E711294340CABD3AE009A9EB27591A91763DC90A41625922D21990A22EF5794EA7F78A39E8274D17197B44686D08F1A4
A9B1C8507C7AE1173D92C1D4DD53152FAE4318A5BD492ABC70B4AA9F1B37AAEA4084967639A7D44DE63E8CB0B3BBFDCA"
scanning hidden files ...
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0073.JPG 837222 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0057.JPG 1123617 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0060.JPG 661397 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0061.JPG 889012 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0062.JPG 853708 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0063.JPG 787799 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0064.JPG 807357 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0066.JPG 827504 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0067.JPG 1093521 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0068.JPG 826221 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0069.JPG 798935 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0070.JPG 1018794 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0071.JPG 1020899 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0072.JPG 976927 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0074.JPG 968305 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0075.JPG 1201494 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0076.JPG 864206 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0077.JPG 909421 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0078.JPG 879923 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0079.JPG 1295052 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0080.JPG 775844 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0081.JPG 967185 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0091.JPG 1200907 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0092.JPG 1111617 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0093.JPG 888045 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0094.JPG 1050093 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0095.JPG 916275 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0096.JPG 1044186 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0097.JPG 858567 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0098.JPG 985526 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0099.JPG 640948 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0100.JPG 1243249 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0101.JPG 1271184 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0102.JPG 987268 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0103.JPG 897288 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0104.JPG 692084 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\IMG_0105.JPG 1104118 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\Thumbs.db 155648 bytes
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\Thumbs.db:encryptable 0 bytes hidden from API
C:\Documents and Settings\propriétaire\Mes documents\Freddy\Fichiers Protégés\Japon FH12800\2006_07_26\ZbThumbnail.info 172836 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 40
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"F:\\Logiciels\\eMule\\emule.exe"="F:\\Logiciels\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Jeux\\Pro Evolution Soccer 6\\PES6.exe"="C:\\Program Files\\Jeux\\Pro Evolution Soccer 6\\PES6.exe:*:Enabled:pes6.exe"
"C:\\Program Files\\VLC\\vlc.exe"="C:\\Program Files\\VLC\\vlc.exe:*:Enabled:VLC media player"
"F:\\Logiciels\\BitComet\\BitComet.exe"="F:\\Logiciels\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Internet Explorer\\IEPro\\MiniDM.exe"="C:\\Program Files\\Internet Explorer\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"C:\\Program Files\\Fichiers communs\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Fichiers communs\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 11 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 13 May 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 8 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Protection PC\Spyware\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Protection PC\Spyware\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Protection PC\Spyware\Spybot - Search & Destroy\TeaTimer.exe"
Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT15.tmp"
Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT14.tmp"
Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\be077a0a5c65554c0fa221a5c8a0529b\BIT16.tmp"
Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT13.tmp"
Sat 13 May 2006 4,348 ...H. --- "C:\Documents and Settings\propri‚taire\Mes documents\Ma musique\Sauvegarde de la licence\drmv1key.bak"
Fri 8 Dec 2006 20 A..H. --- "C:\Documents and Settings\propri‚taire\Mes documents\Ma musique\Sauvegarde de la licence\drmv1lic.bak"
Fri 8 Dec 2006 9,855 A.SH. --- "C:\Documents and Settings\propri‚taire\Mes documents\Ma musique\Sauvegarde de la licence\drmv2key.bak"
Thu 13 Sep 2007 28,672 A..H. --- "C:\Documents and Settings\propri‚taire\Mes documents\Claire\Candidatures\Job 2007\Offres\1 000 mercis- Charg‚ d'op‚rations mktg interactif 13 09 07\~WRL0003.tmp"
Mon 17 Sep 2007 29,184 A..H. --- "C:\Documents and Settings\propri‚taire\Mes documents\Claire\Candidatures\Job 2007\Offres\1 000 mercis- Charg‚ d'op‚rations mktg interactif 13 09 07\~WRL0005.tmp"
Finished!
and Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:32, on 30/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Protection PC\Tracks Eraser Pro\te.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Protection PC\HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favoris
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Internet Explorer\Netcraft Toolbar\nctb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Protection PC\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Télécharger avec Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.zebulon.fr/scan8/oscan8.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://fichiers.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_2_0_4_13.cab
O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} - http://www.extrafilm.fr/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9A298E5-7642-4D3B-86AA-2EADC6CF8859}: NameServer = 212.27.54.252,212.27.53.252
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Protection PC\Tracks Eraser Pro\autocomp.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5364 bytes
Kinds regards
Ile_de_man
2008-07-30, 23:00
Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector (http://www2.gmer.net/mbr/mbr.exe) by Gmer or CureIt (http://www.freedrweb.com/cureit) by Dr.Web
With MBR.exe by Gmer.exe, it found an error and I fixed it with mbr.exe - fr as asked.
Since in IE, functions CTRL-C and CTRL-V work once again
Bye