PDA

View Full Version : ad.firstadsolution.com and other problems



david-andorra
2006-04-03, 14:02
Hello,
I've scanned and fixed several things with S&D, now only appear on the scan "windows active desktop", I think it's not necesseray to fix.
Here are the problems I have :
* Pop-ups appears, in the "historique" tab of MSIE, I can see that it comes from url "http://ad.firstadsolution.com" and the complete url seems to be "http://ad.firstadsolution.com/click,AAAAAFQuAABI.wAAjCEAAAAAAAAAAA4AA.8CDAEIAAK1NQAA1jcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALruMEQAAAAA,,"
* Times to times, the mouse-pointer appear as "waiting" for several seconds, I don't know why...
* I've tried to click on the link to download Hijackthis in the top thread of this forum : Window open and immediately close ! I've downloaded it by copying the url and paste it in the address bar.
* My computer shut down and restart alone.

The log file is as follow.
I'me under Antivirus/Firewall updated daily : Securitoo-F-secure.
Winpower is my security power supply.
Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 13:00:56, on 03/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\FSGK32.EXE
C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
C:\Program Files\Securitoo\av_fw\Common\FSMB32.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Securitoo\av_fw\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\Securitoo\av_fw\Common\FAMEH32.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fssm32.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsav32.exe
C:\PROGRA~1\UpsPilot\hello21.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Securitoo\av_fw\backweb\8520111\Program\fspex.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Securitoo\av_fw\FSGUI\fsguiexe.exe
C:\Program Files\Skype\Phone\Skype.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\StripSaver2\StripSaver2.exe
C:\Program Files\Vg\VirtuaGirl2.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ycomp/defaults/sp/*http://fr.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ycomp/defaults/su/*http://fr.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E8A2089-AA52-8D59-C187-418FF221EFD4} - C:\DOCUME~1\ARGENCE\APPLIC~1\PROGRA~1\bows platform.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CIEObject Object - {5D647E9C-6B37-4636-9A78-DADB1EB93BDF} - C:\WINNT\ctxpopup.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Subsys] "C:\WINNT\system32\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Sin Espias] C:\Program Files\SinEspias\No-Spy.exe /autorun
O4 - HKLM\..\Run: [stnospy] C:\Program Files\SinEspias\no-spy.exe /autorun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\av_fw\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Securitoo\av_fw\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FiveHeart1Proc] C:\Documents and Settings\All Users\Application Data\Doeswindowfiveheart\drive stop.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\RunServices: [Windows Subsys] "C:\WINNT\system32\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BlueFunk] C:\DOCUME~1\ARGENCE\APPLIC~1\SIXTHS~1\Pile User Error.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: StripSaver2.lnk = C:\Program Files\StripSaver2\StripSaver2.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Search - http://kx.bar.need2find.com/KX/menusearch.html?p=KX
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - http://www.1-click.com/common/files/installer-hidden-test.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} - http://ip.sponsoradulto.com/cab/3/fr/SysWebTelecomInt.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - https://www.cuworld.com/PIC/inner_pic/packages/liveupdate.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/119988efc736e7c0a018/netzip/RdxIE601_fr.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://vztxcisccpro.compaq.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B5F016CF-23D9-40BC-B16A-2919C0886DD8} (NavolX Contrôle) - http://nsol.nordnet.fr/navol/navol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A4E5100-F89E-457B-9B12-9800EE4287DA}: NameServer = 194.158.64.9 194.158.64.10
O20 - Winlogon Notify: winmok32 - C:\WINNT\SYSTEM32\winmok32.dll
O23 - Service: ADSLAutoconnect - Unknown owner - C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe" -z (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Securitoo Antivirus Firewall (BackWeb Plug-in - 8520111) - Unknown owner - C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - C:\Program Files\Pointdev\Ideal Administration\IACtrl.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: Bosco - Module Esclave (slave) - Unknown owner - C:\Program Files\Bosco\slave.exe
O23 - Service: Winpower - Zero G - C:\PROGRA~1\UpsPilot\Winpower.exe

LonnyRJones
2006-04-07, 08:02
In addremove programs uninstall these programs if listed, always reboot when prompted.
Search Plugin
StripSaver2
VirtuaGirl2
Spyware Nuker

I am unsure of this program
C:\Program Files\SinEspias\no-spy.exe

Restart your PC, post back with another Hijackthis log

david-andorra
2006-04-07, 10:50
Hi Lonny,
I've done all that. Find the Hijackthis log as follow.
Thank you for appreciated help!

Logfile of HijackThis v1.99.1
Scan saved at 09:49:48, on 07/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\FSGK32.EXE
C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
C:\Program Files\Securitoo\av_fw\Common\FSMB32.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Securitoo\av_fw\Common\FCH32.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Securitoo\av_fw\Common\FAMEH32.EXE
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fssm32.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsav32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Securitoo\av_fw\backweb\8520111\Program\fspex.exe
C:\PROGRA~1\UpsPilot\hello21.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Securitoo\av_fw\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ycomp/defaults/sp/*http://fr.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ycomp/defaults/su/*http://fr.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CIEObject Object - {5D647E9C-6B37-4636-9A78-DADB1EB93BDF} - C:\WINNT\ctxpopup.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Subsys] "C:\WINNT\system32\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\av_fw\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Securitoo\av_fw\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Windows Subsys] "C:\WINNT\system32\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Search - http://kx.bar.need2find.com/KX/menusearch.html?p=KX
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - http://www.1-click.com/common/files/installer-hidden-test.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} - http://ip.sponsoradulto.com/cab/3/fr/SysWebTelecomInt.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - https://www.cuworld.com/PIC/inner_pic/packages/liveupdate.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/119988efc736e7c0a018/netzip/RdxIE601_fr.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://vztxcisccpro.compaq.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B5F016CF-23D9-40BC-B16A-2919C0886DD8} (NavolX Contrôle) - http://nsol.nordnet.fr/navol/navol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A4E5100-F89E-457B-9B12-9800EE4287DA}: NameServer = 194.158.64.9 194.158.64.10
O20 - Winlogon Notify: winmok32 - winmok32.dll (file missing)
O23 - Service: ADSLAutoconnect - Unknown owner - C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe" -z (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Securitoo Antivirus Firewall (BackWeb Plug-in - 8520111) - Unknown owner - C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - C:\Program Files\Pointdev\Ideal Administration\IACtrl.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: Bosco - Module Esclave (slave) - Unknown owner - C:\Program Files\Bosco\slave.exe
O23 - Service: Winpower - Zero G - C:\PROGRA~1\UpsPilot\Winpower.exe

LonnyRJones
2006-04-07, 14:43
Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O2 - BHO: CIEObject Object - {5D647E9C-6B37-4636-9A78-DADB1EB93BDF} - C:\WINNT\ctxpopup.dll (file missing)
O4 - HKLM\..\Run: [Windows Subsys] "C:\WINNT\system32\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
O4 - HKLM\..\RunServices: [Windows Subsys] "C:\WINNT\system32\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
O8 - Extra context menu item: &Search - http://kx.bar.need2find.com/KX/menusearch.html?p=KX
O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - http://www.1-click.com/common/files/...idden-test.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab
O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} - http://ip.sponsoradulto.com/cab/3/fr...TelecomInt.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/119988ef...dxIE601_fr.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O20 - Winlogon Notify: winmok32 - winmok32.dll (file missing)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
http://metallica.geekstogo.com/BFUonlinescript.jpg
Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/collectora.bfu
Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Post a fresh hijackthis log please, be sure to mention any current problems.



Did you install "remote task manager"

david-andorra
2006-04-07, 16:09
All this done.
What is "remote task manager" ?
Is it something like "Startup manager" from INAC ?

Logfile of HijackThis v1.99.1
Scan saved at 15:08:27, on 07/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\FSGK32.EXE
C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
C:\Program Files\Securitoo\av_fw\Common\FSMB32.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Securitoo\av_fw\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\Securitoo\av_fw\Common\FAMEH32.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fssm32.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Securitoo\av_fw\backweb\8520111\Program\fspex.exe
C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsav32.exe
C:\PROGRA~1\UpsPilot\hello21.exe
C:\Program Files\Securitoo\av_fw\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ycomp/defaults/sp/*http://fr.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ycomp/defaults/su/*http://fr.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\av_fw\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Securitoo\av_fw\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - https://www.cuworld.com/PIC/inner_pic/packages/liveupdate.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://vztxcisccpro.compaq.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B5F016CF-23D9-40BC-B16A-2919C0886DD8} (NavolX Contrôle) - http://nsol.nordnet.fr/navol/navol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A4E5100-F89E-457B-9B12-9800EE4287DA}: NameServer = 194.158.64.9 194.158.64.10
O23 - Service: ADSLAutoconnect - Unknown owner - C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe" -z (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Securitoo Antivirus Firewall (BackWeb Plug-in - 8520111) - Unknown owner - C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - C:\Program Files\Pointdev\Ideal Administration\IACtrl.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: Bosco - Module Esclave (slave) - Unknown owner - C:\Program Files\Bosco\slave.exe
O23 - Service: Winpower - Zero G - C:\PROGRA~1\UpsPilot\Winpower.exe

LonnyRJones
2006-04-07, 16:14
This program ?
C:\Program Files\Remote Task Manager

Scan with hijackthis and fix this item
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
=========


Post a report from this free online scan, Please.
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.

david-andorra
2006-04-07, 19:06
Sorry, the Online Panda's scan took a long time and found a lot of things.
The document is as follow (multiple post because too much long)


Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\ARGENCE\Favoris\Antivirus Test Online.url
Adware:adware/downloadware Not disinfected C:\PROGRAM FILES\MediaLoads
Adware:adware/ist.istbar Not disinfected C:\PROGRAM FILES\FICHIERS COMMUNS\Totem Shared
Adware:adware/cws Not disinfected C:\Documents and Settings\ARGENCE\Favoris\Fun & Games
Adware:adware/delfinmedia Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected HKEY_CURRENT_USER\SOFTWARE\NEED2FIND
Spyware:spyware/clipgenie Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM
Adware:adware/ncase Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@112.2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@burstnet[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@c.goclick[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@c3.gostats[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@dist.belnk[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@errorsafe[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@fe.lea.lycos[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@fe.lea.lycos[2].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@fl01.ct2.comclick[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@gostats[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@go[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@hotlog[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@microsofteup.112.2o7[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@outster[1].txt
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@research-int[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@searchportal.information[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@spylog[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@stats1.reliablestats[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@toplist[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@weborama[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@www.advnt01[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@www.errorsafe[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@www.myaffiliateprogram[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@xiti[2].txt

david-andorra
2006-04-07, 19:07
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@yadro[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[.xiti.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ARGENCE\Application Data\Mozilla\Firefox\Profiles\mri3odbu.default\cookies.txt[]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ARGENCE\Bureau\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ARGENCE\Bureau\smitRem.exe[Process.exe]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@112.2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@burstnet[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@c.goclick[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@c3.gostats[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@dist.belnk[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@errorsafe[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@fe.lea.lycos[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@fe.lea.lycos[2].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@fl01.ct2.comclick[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@gostats[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@go[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@hotlog[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@microsofteup.112.2o7[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@outster[1].txt
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@research-int[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@searchportal.information[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@spylog[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@stats1.reliablestats[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@toplist[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@weborama[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@www.advnt01[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@www.errorsafe[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@www.myaffiliateprogram[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@xiti[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\ARGENCE\Cookies\argence@yadro[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\ARGENCE\Local Settings\Temp\Cookies\argence@xiti[1].txt

david-andorra
2006-04-07, 19:08
Virus:Exploit/CreatetxtRange Disinfected C:\Documents and Settings\ARGENCE\Local Settings\Temporary Internet Files\Content.IE5\279S1L2E\ALERT[2].0TML
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\ARGENCE\Local Settings\Temporary Internet Files\Content.IE5\279S1L2E\CNT8[1].0TM
Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\ARGENCE\Menu Démarrer\Programmes\Startup\ADOBE GAMMA LOADER.0XE
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Fichiers communs\Totem Shared\Update\Distribution.dll.045
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Fichiers communs\Totem Shared\Update\Distribution.dll.046
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Fichiers communs\Totem Shared\Update\Music.dll.022
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Fichiers communs\Totem Shared\Update\Windows.dll.072
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Fichiers communs\Totem Shared\Update\WindowsEx.dll.041
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Fichiers communs\Totem Shared\Update\WindowsEx.dll.042
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/Medload Not disinfected C:\Program Files\MediaLoads\v1\ML.exe
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AC5.tmp
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AC6.tmp
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-1409082233-1383384898-1343024091-1000\Dc10.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Telechargement\3d\Discreet_3DS_Max_v7.0.0ip[crack.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\Telechargement\3d\Discreet_3DS_Max_v7.0_by_Paradox.0ip[crack.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\Telechargement\crack-photoshop\Adobe_Photoshop_v7.01.0ip[crack.exe]
Hacktool:HackTool/Flood Not disinfected C:\Telechargement\KENOBI\Kenobi_v3_Fix_for_4.5ocx\Kenobi_Script_V3.0_FIX\nHTMLn_2.92.dll
Hacktool:HackTool/Flood Not disinfected C:\Telechargement\KENOBI\Kenobi_v3_Fix_for_4.5ocx\Kenobi_Script_V3.0_FIX\vincula\nHTMLn_2.92.dll
Hacktool:HackTool/Flood Not disinfected C:\Telechargement\KENOBI\Kenobi_v3_Fix_for_4.5ocx.zip[nHTMLn_2.92.dll]
Hacktool:Nuker/NukeAttack Not disinfected C:\Telechargement\NUK\nuke attak.0ip[nuke attac.exe]
Hacktool:HackTool/Flood Not disinfected C:\Telechargement\vincula48full.exe[nHTMLn_2.92.dll]
Hacktool:HackTool/Flood Not disinfected C:\unzipped\TRIVIA\Trivia\nHTMLn_2.92.dll
Spyware:Cookie/fe.lea.lycos Not disinfected C:\WINNT\Cookies\argence@fe.lea.lycos[1].txt
Spyware:Cookie/Xiti Not disinfected C:\WINNT\Cookies\argence@xiti[1].txt
Potentially unwanted tool:Application/SpyAnywhere.A Not disinfected C:\WINNT\libimg.dll
Virus:Trj/Agent.BSY Disinfected C:\WINNT\system32\AdServ.0ll
Adware:Adware/SecurityError Not disinfected C:\WINNT\system32\MSSEARCHNET.0XE
Adware:Adware/IGetNet Not disinfected C:\WINNT\system32\NLNP13.dll
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINNT\system32\psexec.exe
Potentially unwanted tool:Application/Spyagent.A Not disinfected C:\WINNT\system32\sysmon32i.dll
Virus:Trj/Agent.BSY Disinfected C:\WINNT\system32\winmok32.0ll
Virus:VBS/Help Disinfected Dossiers locaux\SDF - contrib-archives\Therese PACA-070\~0000003.~
Virus:VBS/Help Disinfected Dossiers locaux\SDF - contrib-archives\3 photos\~0000003.~
Virus:W32/Mydoom.M.worm Disinfected Dossiers locaux\lments supprims\Returned mail: Data format error\message.zip[message.pif]
Virus:W32/Netsky.P.worm

---
End of the 3rd and last page of Panda ActiveScan
---

david-andorra
2006-04-07, 19:11
Sorry I forgot
C:\Program Files\Remote Task Manager

Yes, I get it as "evaluation expired". I don't know what it is and how/when I got that !

LonnyRJones
2006-04-07, 23:22
Well uninstall it via addremove programs, also uninstall Kazaa and anything you downloaded with it asap.

david-andorra
2006-04-07, 23:33
I did, please have a look :

Logfile of HijackThis v1.99.1
Scan saved at 22:36:03, on 07/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\FSGK32.EXE
C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
C:\Program Files\Securitoo\av_fw\Common\FSMB32.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Securitoo\av_fw\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\Securitoo\av_fw\Common\FAMEH32.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fssm32.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Securitoo\av_fw\backweb\8520111\Program\fspex.exe
C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsav32.exe
C:\PROGRA~1\UpsPilot\hello21.exe
C:\Program Files\Securitoo\av_fw\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://fr.rd.yahoo.com/customize/ycomp/defaults/sp/*http://fr.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ycomp/defaults/su/*http://fr.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\av_fw\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Securitoo\av_fw\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - https://www.cuworld.com/PIC/inner_pic/packages/liveupdate.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://vztxcisccpro.compaq.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B5F016CF-23D9-40BC-B16A-2919C0886DD8} (NavolX Contrôle) - http://nsol.nordnet.fr/navol/navol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A4E5100-F89E-457B-9B12-9800EE4287DA}: NameServer = 194.158.64.9 194.158.64.10
O23 - Service: ADSLAutoconnect - Unknown owner - C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe" -z (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Securitoo Antivirus Firewall (BackWeb Plug-in - 8520111) - Unknown owner - C:\PROGRA~1\SECURI~2\av_fw\backweb\8520111\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\backweb\8520111\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
O23 - Service: IA Analysing v2.0 (IACtrl) - Unknown owner - C:\Program Files\Pointdev\Ideal Administration\IACtrl.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Bosco - Module Esclave (slave) - Unknown owner - C:\Program Files\Bosco\slave.exe
O23 - Service: Winpower - Zero G - C:\PROGRA~1\UpsPilot\Winpower.exe

LonnyRJones
2006-04-07, 23:46
Delete your cookies and temporary files in Internet explorer and Firefox

Manualy delete these files and folders
C:\Documents and Settings\ARGENCE\Favoris\Antivirus Test Online.url
C:\PROGRAM FILES\MediaLoads
C:\WINNT\system32\MSSEARCHNET.0XE
C:\WINNT\system32\NLNP13.dll
C:\WINNT\libimg.dll
C:\Telechargement
C:\Program Files\Fichiers communs\Totem Shared

Lets get another opinion to
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

david-andorra
2006-04-08, 02:22
The result of Kasperksy is about 23 posts (459319 characters)... Are you sure you want me to post it here ? Maybe easier to send it by e-mail ? Tell me I will do.

LonnyRJones
2006-04-08, 02:26
You could Send it to submitlonny AT subratam.org
Replace AT and spaces with @

Or edit the log, items in C:\system volume information and any item in temps or temporary internet files, no need to see those, then it should be small enough to post

david-andorra
2006-04-08, 02:30
Sorry, I try it again without "Scan Archives - scan files inside archives" and "Scan Mail Bases - scan e-mails/attachments inside mail base files".
I'll be back !

david-andorra
2006-04-08, 03:24
Once again, it take time... I'm going to bed and hope to read you soon.
Could you please tell me what there was ? Terrific ?

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 08, 2006 2:26:04 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/04/2006
Kaspersky Anti-Virus database records: 186898
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 126960
Number of viruses found: 15
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 00:51:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ARGENCE\Menu Démarrer\Programmes\Startup\ADOBE GAMMA LOADER.0XE Infected: Trojan-Clicker.Win32.VB.la skipped
C:\inky\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\SyllabiK\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Trivia Bot 2004 v2.3\TriviaBot.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AC5.tmp Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1AC6.tmp Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.b skipped
C:\ThunderScRipT_v5\Systeme\dll\Procs.dll Infected: not-a-virus:RiskTool.Win32.PsKill.b skipped
C:\ThunderScRipT_v5\ThunderScRipT v5.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Trivia\Trivia bot\WQuizz.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
C:\Trivia Bot 2004 v2.3\TriviaBot.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\unzipped\TRIVIA\Trivia\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\unzipped\TRIVIA\Trivia\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\WINNT\Downloaded Program Files\gsda.dll Infected: not-a-virus:Downloader.Win32.SpyGame skipped
C:\WINNT\system\Update_Hosts.DLL Infected: not-a-virus:AdWare.Win32.IGetNet.e skipped
C:\WINNT\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\system32\NVCTRL.0XE Infected: Trojan-Downloader.Win32.Zlob.js skipped
C:\WINNT\system32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINNT\system32\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\WINNT\system32\sysmon32i.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
C:\WINNT\temp\ASHeuristic\Dc10_exe.vir Infected: Trojan-Downloader.Win32.Small.cqj skipped
C:\wquizz16\WQuizz.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped

Scan process completed.

LonnyRJones
2006-04-08, 05:49
Manualy delete
C:\WINNT\system\Update_Hosts.DLL
C:\WINNT\system32\NVCTRL.0XE
C:\WINNT\temp < delete cotents

The others in that report are your choice, Kaspersky is touchy Mirc for example but you might uninstall RemoteAdmin /Radmin, unless you use it.

david-andorra
2006-04-08, 11:56
Hello,

It's done. What should I do now ? What was it, can you give me a report of what we did ?

David

LonnyRJones
2006-04-08, 15:49
The main cupret was LOP, and the use of filesharring
O4 - HKLM\..\Run: [FiveHeart1Proc] C:\Documents and Settings\All Users\Application Data\Doeswindowfiveheart\drive stop.exe
O2 - BHO: (no name) - {4E8A2089-AA52-8D59-C187-418FF221EFD4} - C:\DOCUME~1\ARGENCE\APPLIC~1\PROGRA~1\bows platform.exe
================
Which usualy gets installed along with some so called freeware
More info, http://www.spywareinfo.com/articles/lop/

david-andorra
2006-04-08, 17:30
Thank you for your care, time, and help.

David.

LonnyRJones
2006-04-09, 06:27
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.


Regards
Lonny